CryptPad Link Bouncer Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in CryptPad versions prior to 2025.3.0. The issue arises in the 'Link Bouncer' feature, which is intended to filter out 'javascript:' URIs to prevent XSS attacks. However, a maliciously crafted URI can bypass this filter by exploiting an 'early allow' code path that precedes the protocol check. This allows the URI to be processed as safe, despite containing harmful JavaScript payloads.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, remove the default Content-Security-Policy, then navigate to a CryptPad instance with the 'Link Bouncer' feature active. Access a URL that includes a 'javascript:' URI crafted to exploit the early allow code path, such as one that directs to 'main.cryptpad.internal' with a payload that, for example, alerts the document domain. The JavaScript will execute, demonstrating the bypass of the link bouncer's protections.

Remediation

Users should update to CryptPad version 2025.3.0 or later, where this vulnerability has been patched.