CVE-2025-27608

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-27608

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-27608.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-27608

Aliases

GHSA-252h-4j5q-88pc

Published

2025-04-02T22:15:19Z

Modified

2025-04-03T08:57:13.497263Z

Summary

[none]

Details

Arduino IDE 2.x is an IDE based on the Theia IDE framework and built with Electron. A Self Cross-Site Scripting (XSS) vulnerability has been identified within the Arduino-IDE prior to version v2.3.5. The vulnerability occurs in the Additional Board Manager URLs field, which can be found in the Preferences -> Settings section of the Arduino IDE interface. In the vulnerable versions, any values entered in this field are directly displayed to the user through a notification tooltip object, without a proper output encoding routine, due to the underlying ElectronJS engine interpretation. This vulnerability exposes the input parameter to Self-XSS attacks, which may lead to security risks depending on where the malicious payload is injected. This vulnerability is fixed in 2.3.5.

References

Affected packages

Git / github.com/arduino/arduino-ide

Affected ranges

Type: GIT
Repo: https://github.com/arduino/arduino-ide
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

d298b3ffc94008e89066cd999d891e84190da18f

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

2.*

2.0.0

2.0.0-beta.1

2.0.0-beta.10

2.0.0-beta.11

2.0.0-beta.12

2.0.0-beta.2

2.0.0-beta.3

2.0.0-beta.4

2.0.0-beta.5

2.0.0-beta.6

2.0.0-beta.7

2.0.0-beta.8

2.0.0-beta.9

2.0.0-rc1

2.0.0-rc2

2.0.0-rc3

2.0.0-rc4

2.0.0-rc5

2.0.0-rc6

2.0.0-rc7

2.0.0-rc8

2.0.0-rc9

2.0.0-rc9.1

2.0.0-rc9.2

2.0.0-rc9.3

2.0.0-rc9.4

2.0.1

2.0.2

2.0.3

2.0.4

2.1.0

2.3.0

2.3.3

2.3.4

v0.*

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.1.0

v0.1.1

v0.1.2