Skip to content

Merge pdf-cve-3077 into production #3078

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jul 2, 2025
Merged

Merge pdf-cve-3077 into production #3078

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
85ba929
kb(PdfViewer): Add CVE KB
dimodi Jul 1, 2025
4b7644e
Update knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725.md
dimodi Jul 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
---
title: PDF Viewer Cross-site Scripting (XSS) Vulnerability (2025-6725)
description: How to mitigate CVE-2025-6725, a Cross-site Scripting (XSS) vulnerability in the Telerik PDF Viewer for Blazor.
type: troubleshooting
page_title: PDF Viewer Cross-site Scripting (XSS) Vulnerability (2025-6725)
slug: pdfviewer-kb-xss-vulnerability-cve-2025-6725
tags: telerik, blazor, pdfviewer, vulnerability, xss
ticketid: 1689311
res_type: kb
---

## Environment

<table>
<tbody>
<tr>
<td>Product</td>
<td>PDF Viewer for Blazor</td>
</tr>
<tr>
<td>Version</td>
<td>From 3.6.0 to 9.0.0</td>
</tr>
</tbody>
</table>

## Description

This is a security notification that explains how to mitigate a cross-site scripting (XSS) vulnerability [CVE-2025-6725](https://www.cve.org/CVERecord?id=CVE-2025-6725) in the Telerik PDF Viewer component for Blazor.

* The weakness ID is [CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html).
* The vulnerability CVSS score is `5.4` (medium).

The XSS vulnerability can be exploited if a specially-crafted document is already loaded and the user engages with a tool that requires the DOM in the PDF Viewer to re-render.

## Solution

If your Blazor app uses the Telerik PDF Viewer, then [upgrading Telerik UI for Blazor](slug:upgrade-tutorial) to version **9.1.0** or later is strongly recommended.

All customers with a Telerik license can:

* Access the [Downloads page in their Telerik account](https://www.telerik.com/account/downloads/product-download).
* Reference [NuGet packages on the Telerik NuGet server](slug:installation/nuget).

## Notes

* If you do not use the PDF Viewer in your application, the application is not vulnerable.
* If you have any questions or concerns related to this issue, [open a new technical support ticket from the Telerik Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical support is available to customers with an active license and support plan.
* We would like to thank Harmen van Keimpema for responsibly disclosing this vulnerability.

## See Also

* [CVE-2025-6725](https://www.cve.org/CVERecord?id=CVE-2025-6725)
* [PDF Viewer Overview](slug:pdfviewer-overview)