CVE-2025-65095 in Lookyloo
Summary
by MITRE • 11/19/2025
Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to version 1.35.1, there is potential cross-site scripting on index and tree page. This issue has been patched in version 1.35.1.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/19/2025
The vulnerability identified as CVE-2025-65095 affects Lookyloo, a web-based tool designed for capturing website pages and visualizing the domain relationships within those pages through an interactive tree structure. This tool serves security professionals and researchers by enabling them to analyze web page dependencies and identify potential tracking or malicious domains. The vulnerability exists in versions prior to 1.35.1 where cross-site scripting attacks can be executed on both the main index page and the tree display page. The flaw represents a significant security risk as it allows attackers to inject malicious scripts into the web interface, potentially compromising user sessions or redirecting them to malicious content. The vulnerability stems from inadequate input validation and output encoding mechanisms within the application's web interface, particularly in how it handles user-supplied data when rendering domain information in the tree visualization.
The technical implementation of this cross-site scripting vulnerability occurs when user-provided domain names or URL parameters are not properly sanitized before being rendered in the web interface. Attackers can exploit this by crafting malicious input that includes script tags or other XSS payloads within domain names or URLs that the application processes and displays. When the affected pages render these inputs, the malicious code executes in the context of other users' browsers, potentially leading to session hijacking, credential theft, or redirection to phishing sites. This vulnerability directly maps to CWE-79, which describes Cross-Site Scripting vulnerabilities where applications fail to properly validate or escape user-controllable data before including it in dynamically generated web pages. The attack surface is particularly concerning given that Lookyloo is designed for security analysis, meaning users who interact with the tool may be more trusting of its output and less vigilant about potential malicious content.
The operational impact of this vulnerability extends beyond simple script injection, as it can enable sophisticated attack vectors that leverage the tool's intended functionality against its users. An attacker who successfully exploits this vulnerability could manipulate the tree visualization to display malicious content that appears legitimate, potentially misleading security analysts who rely on the tool for their investigations. The risk is compounded by the fact that Lookyloo is often used in security research environments where users may have elevated privileges or access to sensitive information. This vulnerability also aligns with ATT&CK technique T1059.007, which covers script injection attacks, and could facilitate further exploitation through techniques such as credential theft or privilege escalation. Organizations using Lookyloo without the patch may find their security analysis workflows compromised, as attackers could potentially use this vulnerability to gain unauthorized access to the system or manipulate analysis results.
The remediation for this vulnerability requires updating to Lookyloo version 1.35.1 or later, which implements proper input sanitization and output encoding mechanisms. Security teams should immediately assess their current deployments and ensure all instances are updated to the patched version. Additional mitigations include implementing proper content security policies to restrict script execution, conducting regular security audits of the web application, and monitoring for suspicious activity in the application logs. Organizations should also consider implementing web application firewalls to detect and block potential XSS attempts, though the primary defense remains the application-level patch. The vulnerability demonstrates the importance of input validation in web applications and highlights how even security tools can contain exploitable flaws that could be leveraged against their users. Regular security assessments and keeping software components up to date remain critical practices for maintaining the security posture of web-based analysis tools.