CVE-2025-69993

| EUVD-2025-209449 MEDIUM
2026-04-14 [email protected] GHSA-h5cx-hfj5-x8v3
XSS
6.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 14, 2026 - 15:26 vuln.today

DescriptionNVD

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror="alert('XSS')">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session.

AnalysisAI

Leaflet through version 1.9.4 allows stored or reflected cross-site scripting (XSS) via the bindPopup() method, which renders user-supplied HTML without sanitization. Network-based attackers can inject malicious JavaScript through event handler attributes in popup content, executing arbitrary code in victims' browser sessions when they interact with affected map popups. No public exploit code or active exploitation has been confirmed at this time, though the vulnerability carries a CVSS 6.1 base score reflecting moderate risk with network-accessible attack surface and user interaction requirement.

Technical ContextAI

Leaflet is a popular open-source JavaScript mapping library used to render interactive web maps. The bindPopup() method is designed to attach HTML content to map features (markers, polygons, etc.) that displays when users click on them. The vulnerability stems from the method's failure to sanitize or escape user-supplied input before rendering it as raw HTML in the DOM. This is a classic reflected or stored XSS flaw where the application trusts HTML content that should be treated as untrusted user data. Event handler attributes (onerror, onload, onclick, etc.) within the injected HTML are automatically executed by the browser's HTML parser, leading to arbitrary JavaScript execution in the security context of the victim's browser session. The attack surface includes any web application embedding Leaflet that accepts user input (via URL parameters, form fields, or database content) and passes it to bindPopup() without prior sanitization.

RemediationAI

Developers must upgrade Leaflet to a patched version beyond 1.9.4 (consult the official Leaflet GitHub repository or npm page for the exact fix version). As an interim workaround before patching, sanitize all user-supplied input before passing it to bindPopup() using a DOM sanitization library such as DOMPurify, bleach (for server-side rendering), or the OWASP HTML Sanitizer. Implement Content Security Policy (CSP) headers with 'script-src' restrictions to mitigate XSS impact even if injection occurs. Review and audit all instances of bindPopup() in your codebase to identify which accept dynamic or user-controlled content. For applications where map content is entirely under developer control, risk is lower, but defense-in-depth sanitization is still recommended. Consult the GitHub advisory (https://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md) and the official Leaflet project page (http://leaflet.com) for updates and additional guidance.

Share

CVE-2025-69993 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy