Skip to main content

Session Fixation CVE-2025-52557

| EUVDEUVD-2025-18797 HIGH
Improper Handling of Physical or Environmental Conditions (CWE-1384)
2025-06-21 security-advisories@github.com
8.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 21:35 euvd
EUVD-2025-18797
Analysis Generated
Mar 15, 2026 - 21:35 vuln.today
CVE Published
Jun 21, 2025 - 02:15 nvd
HIGH 8.6

DescriptionGitHub Advisory

Mail-0's Zero is an open-source email solution. In version 0.8 it's possible for an attacker to craft an email that executes javascript leading to session hijacking due to improper sanitization. This issue has been patched in version 0.81.

AnalysisAI

CVE-2025-52557 is a stored/reflected XSS vulnerability in Mail-0's Zero email solution (version 0.8) that allows unauthenticated attackers to craft malicious emails containing unexecuted JavaScript code. When a victim opens the email in the web interface, the JavaScript executes in their browser context, enabling session hijacking and potential account takeover. The vulnerability has been patched in version 0.81, and exploitation requires user interaction (opening the email), making it a moderate-to-high severity issue suitable for rapid patching.

Technical ContextAI

Mail-0 Zero is an open-source email client/server solution that processes and renders email messages in a web interface. The vulnerability stems from CWE-1384 (Improper Neutralization of Noninput Request Data Before Storage or Transmission), which is a variant of improper input sanitization affecting email content handling. The root cause is inadequate HTML/JavaScript sanitization when parsing email messages before rendering them in the browser DOM. The email parsing/rendering pipeline fails to strip or escape dangerous HTML tags (such as <script>, event handlers like onclick, or other XSS vectors) from email bodies. When the email is displayed to an authenticated user via the web UI, the unsanitized content executes with the privileges of the user's authenticated session, allowing the attacker to steal session tokens, cookies, or perform actions on behalf of the victim. CPE identification would be: cpe:2.3:a:mail-0:zero:0.8:*:*:*:*:*:*:*

RemediationAI

Upgrade Mail-0 Zero from version 0.8 to version 0.81 or later; priority: IMMEDIATE; steps: ['Review Mail-0 Zero release notes and changelog for version 0.81+', 'Test patch in non-production environment', 'Deploy patch to all instances running version 0.8', 'Verify successful upgrade and test email rendering functionality'] Workaround (temporary, pre-patch): Disable or restrict web UI access until patch is applied; steps: ['Configure reverse proxy (nginx/Apache) to restrict access to web UI to trusted IPs only', 'Instruct users to use alternative email clients (IMAP/POP3) instead of web interface', 'Implement Content Security Policy (CSP) headers to restrict inline script execution (defense-in-depth)'] Detection and Monitoring: Monitor for exploitation attempts; steps: ['Review email message logs for suspicious JavaScript content in message bodies', 'Monitor session logs for anomalous authentication patterns (session reuse from unexpected IPs)', 'Implement WAF/IDS rules to detect XSS payloads in email headers/bodies']

CVE-2017-12965 CRITICAL POC
9.8 Aug 23

Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa

CVE-2025-28242 CRITICAL POC
9.8 Apr 18

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session

CVE-2022-40916 CRITICAL POC
9.8 Feb 06

Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2025-45949 CRITICAL POC
9.8 Apr 28

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login

CVE-2023-48929 CRITICAL POC
9.8 Dec 08

Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti

CVE-2023-41012 CRITICAL POC
9.8 Sep 05

An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe

CVE-2023-31498 CRITICAL POC
9.8 May 11

A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex

CVE-2022-3269 CRITICAL POC
9.8 Sep 23

Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab

CVE-2021-39290 CRITICAL POC
9.8 Aug 23

Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera

CVE-2020-11729 CRITICAL POC
9.8 Apr 15

An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v

CVE-2019-18418 CRITICAL POC
9.8 Oct 24

clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be

CVE-2018-18925 CRITICAL POC
9.8 Nov 04

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s

Share

CVE-2025-52557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy