From 85ba929b51813d8e14473aa70d8c17b488902e74 Mon Sep 17 00:00:00 2001 From: Dimo Dimov <961014+dimodi@users.noreply.github.com> Date: Tue, 1 Jul 2025 17:39:55 +0300 Subject: [PATCH 1/2] kb(PdfViewer): Add CVE KB --- ...fviewer-xss-vulnerability-cve-2025-6725.md | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725.md diff --git a/knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725.md b/knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725.md new file mode 100644 index 000000000..c08e0a74b --- /dev/null +++ b/knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725.md @@ -0,0 +1,54 @@ +--- +title: PDF Viewer Cross-site Scripting (XSS) Vulnerability (2025-6725) +description: How to mitigate CVE-2025-6725, a Cross-site Scripting (XSS) vulnerability in the Telerik PDF Viewer for Blazor. +type: troubleshooting +page_title: PDF Viewer Cross-site Scripting (XSS) Vulnerability (2025-6725) +slug: pdfviewer-kb-xss-vulnerability-cve-2025-6725 +tags: telerik, blazor, pdfviewer, vulnerability, xss +ticketid: 1689311 +res_type: kb +--- + +## Environment + + + + + + + + + + + + +
ProductPDF Viewer for Blazor
VersionFrom 3.6.0 to 9.0.0
+ +## Description + +This is a security notification that explains how to mitigate a cross-site scripting (XSS) vulnerability [CVE-2025-6725](https://www.cve.org/CVERecord?id=CVE-2025-6725) in the Telerik PDF Viewer component for Blazor. + +* The weakness ID is [CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html). +* The vulnerability CVSS score is `0.54` (medium). + +The XSS vulnerability can be exploited if a specially-crafted document is already loaded and the user engages with a tool that requires the DOM in the PDF Viewer to re-render. + +## Solution + +If your Blazor app uses the Telerik PDF Viewer, then [upgrading Telerik UI for Blazor](slug:upgrade-tutorial) to version **9.1.0** or later is strongly recommended. + +All customers with a Telerik license can: + +* Access the [Downloads page in their Telerik account](https://www.telerik.com/account/downloads/product-download). +* Reference [NuGet packages on the Telerik NuGet server](slug:installation/nuget). + +## Notes + +* If you do not use the PDF Viewer in your application, the application is not vulnerable. +* If you have any questions or concerns related to this issue, [open a new technical support ticket from the Telerik Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical support is available to customers with an active license and support plan. +* We would like to thank Harmen van Keimpema for responsibly disclosing this vulnerability. + +## See Also + +* [CVE-2025-6725](https://www.cve.org/CVERecord?id=CVE-2025-6725) +* [PDF Viewer Overview](slug:pdfviewer-overview) From 4b7644e909644a01118f432ddd485a023ec4c3a1 Mon Sep 17 00:00:00 2001 From: Dimo Dimov <961014+dimodi@users.noreply.github.com> Date: Wed, 2 Jul 2025 11:04:30 +0300 Subject: [PATCH 2/2] Update knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725.md --- knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725.md b/knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725.md index c08e0a74b..0ef987161 100644 --- a/knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725.md +++ b/knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725.md @@ -29,7 +29,7 @@ res_type: kb This is a security notification that explains how to mitigate a cross-site scripting (XSS) vulnerability [CVE-2025-6725](https://www.cve.org/CVERecord?id=CVE-2025-6725) in the Telerik PDF Viewer component for Blazor. * The weakness ID is [CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html). -* The vulnerability CVSS score is `0.54` (medium). +* The vulnerability CVSS score is `5.4` (medium). The XSS vulnerability can be exploited if a specially-crafted document is already loaded and the user engages with a tool that requires the DOM in the PDF Viewer to re-render.