CVE-2025-59838 - Vulnerability Details - OpenCVE

Monkeytype is a minimalistic and customizable typing test. In versions 25.36.0 and prior, improper handling of user input when loading a saved custom text results in XSS. This issue has been patched via commit f025b12.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Monkeytype	Monkeytype

No data.

No data.

References

Link	Providers
https://github.com/monkeytypegame/monkeytype/commit/f025b121cbe437e29de432b4aa72e0de22c755b7
https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-j4xx-fww5-774w

History

Fri, 26 Sep 2025 11:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Monkeytype Monkeytype monkeytype
Vendors & Products		Monkeytype Monkeytype monkeytype

Thu, 25 Sep 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 25 Sep 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		Monkeytype is a minimalistic and customizable typing test. In versions 25.36.0 and prior, improper handling of user input when loading a saved custom text results in XSS. This issue has been patched via commit f025b12.
Title		Monkeytype Vulnerable to Self-XSS on loading saved custom text
Weaknesses		CWE-79
References		https://github.com/monkeytypegame/monkeytype/commit/f025b121cbe437e29de432b4aa72e0de22c755b7 https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-j4xx-fww5-774w
Metrics		cvssV4_0 `{'score': 2.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-09-25T14:52:16.612Z

Updated: 2025-09-25T15:48:20.837Z

Reserved: 2025-09-22T14:34:03.471Z

Link: CVE-2025-59838

Vulnrichment

Updated: 2025-09-25T15:44:31.414Z

NVD

Status : Awaiting Analysis

Published: 2025-09-25T15:16:14.390

Modified: 2025-09-26T14:32:53.583

Link: CVE-2025-59838

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-59838", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-09-22T14:34:03.471Z", "datePublished": "2025-09-25T14:52:16.612Z", "dateUpdated": "2025-09-25T15:48:20.837Z"}, "containers": {"cna": {"title": "Monkeytype Vulnerable to Self-XSS on loading saved custom text", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-j4xx-fww5-774w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-j4xx-fww5-774w"}, {"name": "https://github.com/monkeytypegame/monkeytype/commit/f025b121cbe437e29de432b4aa72e0de22c755b7", "tags": ["x_refsource_MISC"], "url": "https://github.com/monkeytypegame/monkeytype/commit/f025b121cbe437e29de432b4aa72e0de22c755b7"}], "affected": [{"vendor": "monkeytypegame", "product": "monkeytype", "versions": [{"version": "< f025b121cbe437e29de432b4aa72e0de22c755b7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-09-25T14:52:16.612Z"}, "descriptions": [{"lang": "en", "value": "Monkeytype is a minimalistic and customizable typing test. In versions 25.36.0 and prior, improper handling of user input when loading a saved custom text results in XSS. This issue has been patched via commit f025b12."}], "source": {"advisory": "GHSA-j4xx-fww5-774w", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-j4xx-fww5-774w", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-25T15:44:28.793892Z", "id": "CVE-2025-59838", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-25T15:48:20.837Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-59838", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-25T15:44:28.793892Z"}}}], "references": [{"url": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-j4xx-fww5-774w", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-25T15:44:31.414Z"}}], "cna": {"title": "Monkeytype Vulnerable to Self-XSS on loading saved custom text", "source": {"advisory": "GHSA-j4xx-fww5-774w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.4, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "monkeytypegame", "product": "monkeytype", "versions": [{"status": "affected", "version": "< f025b121cbe437e29de432b4aa72e0de22c755b7"}]}], "references": [{"url": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-j4xx-fww5-774w", "name": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-j4xx-fww5-774w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/monkeytypegame/monkeytype/commit/f025b121cbe437e29de432b4aa72e0de22c755b7", "name": "https://github.com/monkeytypegame/monkeytype/commit/f025b121cbe437e29de432b4aa72e0de22c755b7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Monkeytype is a minimalistic and customizable typing test. In versions 25.36.0 and prior, improper handling of user input when loading a saved custom text results in XSS. This issue has been patched via commit f025b12."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-09-25T14:52:16.612Z"}}}, "cveMetadata": {"cveId": "CVE-2025-59838", "state": "PUBLISHED", "dateUpdated": "2025-09-25T15:48:20.837Z", "dateReserved": "2025-09-22T14:34:03.471Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-09-25T14:52:16.612Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Monkeytype is a minimalistic and customizable typing test. In versions 25.36.0 and prior, improper handling of user input when loading a saved custom text results in XSS. This issue has been patched via commit f025b12."}], "id": "CVE-2025-59838", "lastModified": "2025-09-26T14:32:53.583", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-09-25T15:16:14.390", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/monkeytypegame/monkeytype/commit/f025b121cbe437e29de432b4aa72e0de22c755b7"}, {"source": "security-advisories@github.com", "url": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-j4xx-fww5-774w"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-j4xx-fww5-774w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}