How to fix CVE-2025-66563?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Is Monkeytype affected by CVE-2025-66563?

Organizations using Monkeytype should be aware of moderate risk from CVE-2025-66563, a cross-site scripting vulnerability rated CVSS 6.1. Attackers could inject scripts to steal sessions or perform actions as authenticated users. Proof-of-concept code is publicly available.

CVE-2025-66563

EUVD-2025-201320 MEDIUM

2025-12-04 [email protected]

XSS Monkeytype

6.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 16:35 euvd

EUVD-2025-201320

Analysis Generated

Mar 15, 2026 - 16:35 vuln.today

Patch Released

Mar 15, 2026 - 16:35 nvd

Patch available

PoC Detected

Dec 17, 2025 - 16:12 vuln.today

Public exploit code

CVE Published

Dec 04, 2025 - 23:15 nvd

MEDIUM 6.1

DescriptionNVD

Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags).

AnalysisAI

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

A vendor patch is available — apply it immediately. Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

CVE-2025-66563 vulnerability details – vuln.today

Back