CVE-2025-66563
Last modified
CVE-2025-66563 is a high-severity vulnerability rated 7.1/10 on the CVSS scale. Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. EPSS estimates a 0.20% chance of exploitation in the next 30 days.
Description
Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags).
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Monkeytype | Monkeytype | <= 25.49.0 |
References
- https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-mfjh-9552-8g27Exploit, Vendor Advisory
- https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-mfjh-9552-8g27Exploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-66563?
How severe is CVE-2025-66563?
How do I fix CVE-2025-66563?
Are you affected by CVE-2025-66563?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST