CVE-2025-8535
Published: 05 August 2025
Summary
CVE-2025-8535 is a low-severity Cross-site Scripting (CWE-79) vulnerability in Metaclinic Nanovault. Its CVSS base score is 3.5 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 28.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates web inputs to reject script-related content that could produce XSS.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
Directly prevents execution of attacker-supplied code written into data memory regions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in executeJavaScript enables arbitrary JS execution (T1059.007) via malicious URL/link interaction (T1204.001).
NVD Description
A vulnerability, which was classified as problematic, has been found in cronoh NanoVault up to 1.2.1. This issue affects the function executeJavaScript of the file /main.js of the component xrb URL Handler. The manipulation leads to cross site scripting. The…
more
attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-8535 is a cross-site scripting (XSS) vulnerability classified as problematic in cronoh NanoVault versions up to 1.2.1. The issue resides in the executeJavaScript function within the /main.js file of the xrb URL Handler component. Manipulation of this function enables XSS, with associated CWEs including CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code). The vulnerability carries a CVSS v3.1 base score of 3.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N), indicating low severity with network accessibility, low attack complexity, and low privileges required.
A remote attacker with low privileges can exploit this vulnerability by tricking a user into interacting with malicious content, such as clicking a crafted link or opening a manipulated xrb URL. Successful exploitation leads to XSS, allowing the attacker to inject and execute arbitrary scripts in the context of the affected application, resulting in limited integrity impacts but no confidentiality or availability disruption.
Advisories from VulDB detail the issue and note that the exploit has been publicly disclosed via a Google Drive link and a GitHub Gist, with the vendor contacted early but providing no response. No patches or official mitigations are mentioned in the available references, leaving affected systems reliant on user awareness to avoid phishing or malicious URL interactions until further vendor action.
Details
- CWE(s)