CVE-2025-5301 in Docs
Summary
by MITRE • 06/12/2025
ONLYOFFICE Docs (DocumentServer) in versions equal and below 8.3.1 are affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which are then reflected in the server's HTML response.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/18/2025
The vulnerability identified as CVE-2025-5301 affects ONLYOFFICE DocumentServer versions 8.3.1 and earlier, presenting a critical reflected cross-site scripting vulnerability that specifically manifests when processing files through the WOPI protocol. This vulnerability stems from insufficient input validation and output encoding within the server's response handling mechanism, creating a pathway for malicious actors to execute arbitrary JavaScript code in the context of a victim's browser session.
The technical flaw resides in the server's improper sanitization of user-supplied data when processing WOPI requests, particularly those involving HTTP POST parameters that are subsequently reflected in HTML responses without adequate encoding or validation. When a user opens a document through the WOPI interface, the server processes various parameters that may contain malicious payloads, and if these inputs are not properly filtered or escaped, they become part of the server's response. This creates a classic reflected XSS vulnerability where the malicious script is injected via a crafted HTTP POST request and then executed when the victim's browser renders the reflected content.
The operational impact of this vulnerability is significant as it allows attackers to perform a wide range of malicious activities including session hijacking, credential theft, data exfiltration, and redirection to malicious websites. An attacker could craft a malicious WOPI request containing JavaScript code that would be reflected in the server's response, potentially compromising user sessions and enabling unauthorized access to documents stored within the ONLYOFFICE environment. The vulnerability is particularly dangerous because it leverages the legitimate WOPI protocol, making it more difficult to detect and block through traditional security measures.
This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and maps to ATT&CK technique T1566.001 for social engineering through malicious file attachments. The reflected nature of this XSS vulnerability means that the malicious payload must be crafted specifically for each victim, typically through phishing emails or malicious file sharing, making it particularly effective in targeted attacks. Organizations using ONLYOFFICE DocumentServer should prioritize immediate patching to version 8.3.2 or later, while implementing additional security controls such as web application firewalls, input validation, and output encoding to mitigate potential exploitation attempts. Network monitoring should be enhanced to detect suspicious WOPI requests, and user education regarding the risks of opening untrusted documents should be reinforced. The vulnerability demonstrates the critical importance of proper input validation in web applications and the necessity of implementing defense-in-depth strategies to protect against client-side attacks in document management systems.