CVE-2019-25449 in OrientDB
Summary
by MITRE • 02/21/2026
OrientDB 3.0.17 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted JSON payloads to the document endpoint. Attackers can send POST requests to /document/demodb/-1:-1 with script tags in the name parameter to execute arbitrary JavaScript in users' browsers.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/21/2026
OrientDB version 3.0.17 contains a critical reflected cross-site scripting vulnerability that represents a significant security risk for web applications utilizing this database management system. This vulnerability exists within the document endpoint functionality and specifically affects the handling of user-supplied input parameters. The flaw manifests when the system processes JSON payloads submitted through POST requests to the /document/demodb/-1:-1 endpoint, where the name parameter fails to properly sanitize or escape user input before rendering it in the web interface. This oversight creates an opportunity for attackers to inject malicious scripts that will execute in the context of other users' browsers, effectively enabling a reflected XSS attack vector. The vulnerability's impact is particularly concerning as it operates at the application layer and can be exploited without requiring authentication or privileged access to the database itself.
The technical implementation of this vulnerability stems from inadequate input validation and output encoding practices within the OrientDB web interface components. When an attacker submits a crafted POST request containing script tags within the name parameter, the system fails to properly escape or filter the input before it is rendered in the browser context. This reflected nature means that the malicious payload is immediately reflected back to the user's browser without being stored on the server, making it particularly difficult to detect and prevent through traditional security measures. The vulnerability specifically targets the document endpoint which serves as a primary interface for managing database records, making it a high-value target for attackers seeking to compromise user sessions or exfiltrate sensitive data. The attack requires minimal complexity and can be executed through simple HTTP requests, making it accessible to threat actors with basic web application exploitation knowledge.
The operational impact of this vulnerability extends beyond simple script execution and represents a potential gateway for more sophisticated attacks within web application environments. Successful exploitation allows attackers to execute arbitrary JavaScript code in users' browsers, potentially enabling session hijacking, credential theft, or redirection to malicious sites. The reflected nature of the vulnerability means that attackers can craft specific URLs or payloads that, when clicked by victims, will automatically execute malicious code in their browsers. This capability can be leveraged for phishing attacks, data exfiltration, or to establish persistent access through browser-based backdoors. The vulnerability affects all users of OrientDB 3.0.17 who interact with the web interface, particularly those who may be using the database in production environments where user access is granted. The attack vector operates at the HTTP level and can be executed against any user who visits a maliciously crafted URL or interacts with compromised web content, making the attack surface potentially very broad.
Organizations utilizing OrientDB 3.0.17 should immediately implement mitigations to address this reflected XSS vulnerability. The primary recommended approach involves implementing comprehensive input validation and output encoding for all user-supplied parameters, particularly those used in web interface components. This includes sanitizing the name parameter and other input fields within the document endpoint to prevent script injection attempts. Security measures should include the implementation of Content Security Policy headers, proper HTML escaping of dynamic content, and input validation that rejects or sanitizes potentially malicious payloads. Additionally, organizations should consider implementing web application firewalls to detect and block suspicious requests targeting the vulnerable endpoint. The most effective long-term solution involves upgrading to a patched version of OrientDB that addresses this vulnerability, as the flaw represents a fundamental security weakness in the input handling mechanisms. This vulnerability aligns with CWE-79, which describes improper neutralization of input during web page generation, and could be categorized under ATT&CK technique T1203 for Exploitation for Credential Access, particularly when considering the potential for session hijacking and privilege escalation through browser-based attacks.
The vulnerability demonstrates a critical gap in the security architecture of OrientDB's web interface implementation and highlights the importance of proper input validation in web applications. Security teams should conduct comprehensive assessments of their OrientDB installations to identify all potentially affected endpoints and ensure that appropriate mitigations are in place. Regular security testing and code reviews should be implemented to identify similar vulnerabilities in other components of the application stack. The incident underscores the necessity of maintaining up-to-date software versions and implementing robust security controls at multiple layers of the application architecture. Organizations should also consider implementing monitoring solutions to detect unusual patterns of requests to the document endpoint that may indicate exploitation attempts, and establish incident response procedures to address potential security breaches resulting from this vulnerability.