Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-56795 PoC — Mealie 安全漏洞

Source
https://github.com/B1tBreaker/CVE-2025-56795
Associated Vulnerability
Title:Mealie 安全漏洞 (CVE-2025-56795)
Description:Mealie是美国Hayden个人开发者的一个自托管的食谱管理器和膳食计划器。 Mealie 3.0.1及之前版本存在安全漏洞,该漏洞源于recipe creation功能中对note和text字段的用户输入未进行清理和转义,可能导致存储型跨站脚本攻击。
Description
Stored Cross-Site Scripting (XSS) vulnerability affecting the recipe creation functionality in Mealie versions up to 3.0.1.
Readme
# CVE-2025-56795

## Description  
Two stored Cross-Site Scripting (XSS) vulnerabilities were identified in the recipe creation functionality of **Mealie**, affecting all versions up to and including **3.0.1**.  

Unsanitized user input provided during recipe creation is stored and later rendered in the frontend without proper escaping, resulting in persistent XSS.

---

## Affected Fields  
During the creation of a new recipe, the following fields are vulnerable:  

1. **Ingredient Notes (`note` parameter):**  
   Input in this field is stored and later rendered in the recipe detail view, allowing the execution of injected JavaScript payloads.  

2. **Instruction Text (`text` parameter):**  
   Input in this field is also stored and rendered in the recipe detail view, leading to JavaScript execution when the recipe is viewed.  

---

## Proof of Concept  

**Screenshot showing the vulnerable parameters in the JSON response after creating a new recipe:**

<div align="center">
  <img width="700" height="612" alt="create_recipe_response" src="https://github.com/user-attachments/assets/226b2c88-7d03-4f91-8840-1ac4554f2f82" />
</div>

**Browser alert triggered via the `note` parameter (“First Stored XSS”):**

<div align="center">
  <img width="700" height="600" alt="xss_note_popup" src="https://github.com/user-attachments/assets/33abaa1c-7ba3-464d-88a6-a25f961c4a98" />
</div>

**Browser alert triggered via the `text` parameter (“Second Stored XSS”):**

<div align="center">
  <img width="700" height="479" alt="xss_instruction_popup" src="https://github.com/user-attachments/assets/071bf3ed-daa9-40d1-a953-cf7d65a1dec8" />
</div>

---

## References
- [MITRE CVE Record](https://www.cve.org/CVERecord?id=CVE-2025-56795)
- [GitHub Issue – Vulnerability Report](https://github.com/mealie-recipes/mealie/issues/5677)  
- [GitHub Pull Request – Fix](https://github.com/mealie-recipes/mealie/pull/5754)
File Snapshot

 [4.0K]  /data/pocs/b62284a61f9b71db88c437d7c5cc0c59bf565dca
└── [1.9K]  README.md

1 directory, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.