Mintlify Platform Cross-Tenant Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in the Mintlify Platform's Static Asset API, affecting versions prior to November 15, 2025. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML into the documentation of various companies, including Discord, Twitter, Vercel, and Cursor. The issue arises because any tenant's assets can be served on another tenant's documentation site, creating a cross-domain XSS risk. Exploitation involves uploading a malicious SVG file with embedded JavaScript to a Mintlify account, which can then be accessed through a specific endpoint on a different tenant's site, where the script will execute.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks on users accessing the affected documentation site. The injected script runs in the context of the user's session, potentially leading to credential theft or other malicious actions.

Reproduction

To reproduce this vulnerability, upload an SVG file containing a JavaScript payload to a Mintlify account. Then, access the file through the '_mintlify/static/' endpoint on a different tenant's documentation site. The JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Mintlify has patched this vulnerability by restricting static asset access to only the customer who uploaded them. For affected companies, no further action is required as the vulnerabilities have been patched.