CVE-2025-65203 in KeePassXC-Browser
Summary
by MITRE • 12/17/2025
KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to access populated form fields and exfiltrate credentials.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/21/2025
The vulnerability identified as CVE-2025-65203 affects KeePassXC-Browser versions through 1.9.9.2 and represents a critical security flaw in the browser extension's handling of credential autofill operations within restricted browsing contexts. This issue specifically manifests when the extension attempts to populate form fields in documents that are subject to strict Content Security Policy (CSP) directives and iframe sandbox attributes, creating a dangerous intersection between browser security mechanisms and credential management functionality. The vulnerability exploits the fundamental tension between secure browsing environments and automated credential injection processes, potentially allowing attackers to bypass intended security restrictions.
The technical flaw stems from KeePassXC-Browser's improper handling of credential autofill operations in sandboxed environments where traditional security boundaries are enforced. When a user navigates to a webpage with CSP directives and iframe sandboxing enabled, the extension's autofill mechanism attempts to populate form fields despite these security restrictions. The vulnerability occurs because the extension does not adequately respect the security boundaries imposed by browser sandboxing, allowing malicious scripts within the sandboxed document to access form fields that have been populated by the credential manager. This creates an attack surface where attacker-controlled code can directly interact with the filled form data, potentially extracting sensitive information through JavaScript access to the populated fields.
The operational impact of this vulnerability is severe and multi-layered across multiple attack vectors. An attacker could leverage this flaw by hosting malicious content within a sandboxed iframe or document that enforces strict CSP policies, then use the compromised credential autofill mechanism to exfiltrate sensitive data. The vulnerability essentially undermines the security model of sandboxed environments, where the expectation is that scripts within such contexts cannot access data from parent documents or other restricted areas. This allows for credential theft through various attack scenarios including phishing, cross-site scripting attacks, and malicious website exploitation, potentially compromising user accounts across multiple services that rely on KeePassXC for credential storage and management.
The security implications extend beyond simple credential theft to represent a fundamental breach of browser security architecture. This vulnerability aligns with CWE-284 (Improper Access Control) and CWE-352 (Cross-Site Request Forgery) categories, as it enables unauthorized access to protected form data while potentially facilitating unauthorized actions through compromised credential injection. From an ATT&CK framework perspective, this vulnerability maps to T1531 (Account Access Removal) and T1071.004 (Application Layer Protocol: DNS) through potential credential exfiltration mechanisms, while also supporting T1566 (Phishing) and T1213.002 (Data from Information Repositories) as attack vectors. The vulnerability essentially enables attackers to bypass the security controls designed to protect users from malicious content while maintaining their credential management workflow.
Mitigation strategies should prioritize immediate remediation through updating to the latest version of KeePassXC-Browser where this vulnerability has been addressed. Organizations should implement comprehensive monitoring of credential manager usage patterns and establish alerting for unusual autofill behavior in sandboxed contexts. Browser administrators should consider implementing additional security policies that restrict credential manager extensions from operating in highly restricted environments where sandboxing is enforced. Network security controls should be enhanced to detect and prevent credential exfiltration attempts, while user education programs should emphasize the importance of verifying website authenticity before engaging with credential managers. Additionally, implementing multi-factor authentication and regular credential rotation practices can help reduce the impact of potential exploitation, though the most effective solution remains the immediate deployment of patched software versions that properly respect browser security boundaries and sandboxing mechanisms.