EUVD-2025-17301CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3Description
Cross-Site Request Forgery (CSRF) vulnerability in Adrian Hanft Konami Easter Egg allows Stored XSS. This issue affects Konami Easter Egg: from n/a through v0.4.
Analysis
Cross-Site Request Forgery (CSRF) vulnerability in Adrian Hanft's Konami Easter Egg browser extension (versions through v0.4) that can lead to Stored Cross-Site Scripting (XSS) attacks. An attacker can craft a malicious request to inject persistent JavaScript code that executes in the context of affected users' browsers, potentially compromising user sessions, stealing credentials, or performing unauthorized actions. With a CVSS score of 7.1 and network-accessible attack vector requiring only user interaction, this vulnerability poses a moderate-to-significant risk to users of the extension, though real-world exploitation likelihood depends on whether public exploits exist and the extension's actual user base.
Technical Context
The vulnerability exists in Adrian Hanft's Konami Easter Egg extension, a browser add-on that typically detects the classic Konami Code (↑↑↓↓←→←→BA) input sequence. The root cause is classified under CWE-352 (Cross-Site Request Forgery), which indicates insufficient CSRF token validation or same-origin policy enforcement. The vulnerability's mechanism leverages the combination of CSRF (allowing forged requests without proper authorization checks) and Stored XSS (permitting unsanitized user input to be persisted and executed). Browser extensions operate with elevated privileges and can interact with arbitrary web pages, making CSRF-XSS chains particularly dangerous. The extension likely accepts user input or configuration that is neither properly validated against CSRF attacks nor sanitized before storage and execution, violating both OWASP A01:2021 (Broken Access Control) and A03:2021 (Injection).
Affected Products
Adrian Hanft Konami Easter Egg: versions n/a through v0.4 inclusive. No specific CPE string is provided in the data, but the affected range is clearly demarcated. Likely CPE would follow pattern: cpe:2.3:a:adrian_hanft:konami_easter_egg:*:*:*:*:*:browser:*:* (with version constraints <=0.4). The description does not specify browser compatibility (Chrome, Firefox, Edge, etc.), so the vulnerability likely affects all browser extensions of this name across platforms. Any user running Konami Easter Egg v0.4 or earlier is affected. No vendor advisory links are provided in the source data.
Remediation
Immediate actions: (1) Users should disable or uninstall Konami Easter Egg extension immediately if running v0.4 or earlier; (2) Extension administrators should upgrade to a patched version beyond v0.4 once available (current patch version not specified in provided data—check official extension repository or GitHub for updates); (3) Developers should implement: CSRF token validation on all state-changing requests, Content Security Policy (CSP) headers to prevent inline script execution, input sanitization and output encoding for all user-controllable data, and security review of extension permissions. Browser administrators can disable the extension via policy if mass remediation is needed. Without explicit patch version information in the provided data, recommend checking the Adrian Hanft GitHub repository or official extension store (Chrome Web Store, Firefox Add-ons, etc.) for v0.5+ or security patches labeled as CSRF/XSS fixes.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today