PrivateBin, HTML Injection/XSS, CVE-2025-21997 (Critical)

By /

Listen to this Post

The vulnerability exists in the client-side encryption process. When creating a paste, the front-end constructs a `cipherMessage` object containing the paste data, file attachment, and an `attachment_name` array. The `ServerInteraction.setCipherMessage()` function is called to process this object before it is encrypted and sent. By using a client-side monkeypatch to intercept this function call, an attacker can modify the `attachment_name` array, replacing the legitimate filenames with arbitrary HTML strings. This malicious `cipherMessage` is then encrypted and stored on the server. When a victim views the paste, their client decrypts the data and unsafely inserts the manipulated `attachment_name` directly into the DOM via `innerHTML` without proper neutralization, causing the browser to interpret the injected HTML markup. This bypasses the encryption’s integrity because the tampering occurs on the plaintext object before the client-side AES-GCM encryption is applied.
Platform: PrivateBin
Version: 1.7.7 – 2.0.1
Vulnerability : HTML Injection / XSS
Severity: Critical
date: 2025-10-23

Prediction: 2025-11-06

What Undercode Say:

git log --oneline | grep -i "xss|injection|c4f8482"
curl -I https://your-privatebin-instance/ | grep -i content-security-policy

// PoC Monkeypatch Code
(()=>{const d='"><script>alert(1)</script>.txt';if(!window.$||!$.PrivateBin?.ServerInteraction)return;const s=$.PrivateBin.ServerInteraction;const o=s.setCipherMessage?.bind(s);s.setCipherMessage=async function(c){if(c&&Array.isArray(c.attachment_name)){c.attachment_name=c.attachment_name.map(()=>d);}return await o(c);};})();

How Exploit:

Client-side monkeypatch injection.

Modify `attachment_name` pre-encryption.

Victim DOM parsing executes HTML.

Protection from this CVE:

Upgrade to version 2.0.2.

Enforce strict CSP headers.

Disable file attachments feature.

Impact:

Persistent XSS attacks.

Website defacement and phishing.

Credential theft via redirection.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top