### Key Information Summary #### Vulnerability Overview - **CVE ID**: CVE-2025-56683 - **Vulnerability Type**: DOM-based Cross-Site Scripting (XSS) leading to Remote Code Execution (RCE) - **Affected Product**: Logseq Application #### Technical Details 1. **DOM-based XSS Vulnerability** - **File**: `src/main/resources/app.js` - **Line Number**: 82 - **Description**: During processing of document location parameters, user input is not adequately validated or encoded, allowing attackers to inject JavaScript code via malicious URLs. - **Exploitation**: Attackers can trigger XSS by crafting URLs such as `?open=javascript:alert(1)`. 2. **Missing Protocol Validation** - **File**: `src/main/resources/app.js` - **Line Number**: 123 - **Description**: The `openDefaultApp` function does not validate the URL protocol before calling `shell.openExternal`, permitting URLs with arbitrary protocols to be opened. - **Exploitation**: Attackers can construct URLs like `file:///etc/passwd` or `http://attacker.com/malicious.js`, leading to local file disclosure or remote script loading. #### CVSS v3.1 Score - **Base Score**: 9.0 (Critical) - **Vector String**: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H #### Proof of Concept (PoC) - **Environment**: Logseq Desktop Application v0.0.9, Windows 10 - **Steps**: 1. Launch the Logseq application. 2. Install and activate the `Markdown` plugin. 3. Construct a URL using `?open=javascript:alert(1)`. 4. Upon execution, a browser alert box will pop up. #### Recommended Mitigation Measures 1. Strictly validate and encode content retrieved from query parameters. 2. Implement a protocol whitelist to restrict the types of URLs that can be opened. #### Vendor Response and Patch Information - The Logseq team has acknowledged the vulnerability and released a patched version. - The patch includes security checks and the introduction of a protocol whitelist. #### Timeline - **2023-04-23**: Vulnerability discovered and reported to Logseq support team. - **2023-04-24**: Vulnerability confirmed and remediation initiated. - **2023-04-28**: Patch released. - **2023-05-10**: Security advisory publicly disclosed.