CVE-2025-58361

Summary

Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. All versions contain an non-exhaustive URL scheme check that does not protect against XSS. User-controlled URLs pass through src/utils/validation.ts, but the check only strips javascript: and a few patterns. data: URLs (for example data:image/svg+xml,…) still pass. If a sanitized value is used in href/src, an attacker can execute a script. There is currently no fix for this issue.

Affected Software

VendorProductVersion RangeStatus
MarceloTessaropromptcraft-forge-studio>= 0affected

Weaknesses

  • CWE-20: CWE-20: Improper Input Validation
  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-184: CWE-184: Incomplete List of Disallowed Inputs

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References