CVE-2025-3019

Summary

KNIME Business Hub is affected by several cross-site scripting vulnerabilities in its web pages. If a user clicks on a malicious link or opens a malicious web page, arbitrary Java Script may be executed with this user's permissions. This can lead to information loss and/or modification of existing data. The issues are caused by a bug https://github.com/Baroshem/nuxt-security/issues/610 in the widely used nuxt-security module.

There are no viable workarounds therefore we strongly recommend to update to one of the following versions of KNIME Business Hub:

  • 1.13.3 or later

  • 1.12.4 or later

Affected Software

VendorProductVersion RangeStatus
KNIMEKNIME Business Hub1.13.0 < 1.13.3affected
KNIMEKNIME Business Hub1.12.0 < 1.12.4affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References