Public writeup for CVE-2025-55996 (Viber Desktop HTML Injection)# Viber Desktop — HTML Injection (CVE-2025-55996)
**CVE:** CVE-2025-55996
**Discoverer:** Thaw Khant (Cycbake)
**Product:** Viber Desktop
**Affected:** Viber Desktop 25.6.0 (and possibly earlier)
## Summary
Viber Desktop's deep-link handler (`viber://forward?text=`) can render unsanitized HTML supplied in the `text` parameter inside the message compose/forward interface. While script execution appears restricted by the client, attacker-controlled external resources (e.g., images) can be loaded, enabling user tracking and UI manipulation that may facilitate phishing and privacy leakage.
## Impact
- Remote image/resource loading from attacker-controlled domains (IP/meta leakage).
- Message UI manipulation (misleading text/graphics) enabling social engineering.
- Can be chained with other issues for greater impact.
## Reproduction (redacted)
Reproduction steps are intentionally redacted from this public writeup to avoid mass exploitation. A minimal repro was provided to vendor and MITRE at the time of reporting.
## Mitigation / Recommended fix
- Treat the `text` parameter as plain text; do not render HTML by default.
- Properly escape/encode user-supplied input before rendering in the client.
- Block or proxy external resource loading in forwarded messages (strip remote resource requests or force them to pass via a sanitizing proxy).
## Notes
This public writeup intentionally omits exploit-level details. If you are a vendor or security contact requiring technical details for remediation, please contact the discoverer at the address above.
[4.0K] /data/pocs/8a5bf27992f39932c342f9149f14880cda3cdd52
└── [1.5K] README.md
0 directories, 1 file