CVE-2025-63708

MEDIUM

SourceCodester AI Font Matcher - XSS

Title source: llm

Description

Cross-Site Scripting (XSS) vulnerability exists in SourceCodester AI Font Matcher (nid=18425, 2025-10-10) that allows remote attackers to execute arbitrary JavaScript in victims' browsers. The vulnerability occurs in the webfonts API handling mechanism where font family names are not properly sanitized. An attacker can intercept fetch requests to the webfonts endpoint and inject malicious JavaScript payloads through font family names, resulting in session cookie theft, account hijacking, and unauthorized actions performed on behalf of authenticated users. The vulnerability can be exploited by injecting a fetch hook that returns controlled font data containing malicious scripts.

Exploits (1)

nomisec WORKING POC
by DylanDavis1 · poc
https://github.com/DylanDavis1/CVE-2025-63708

References (2)

Scores

CVSS v3 6.1
EPSS 0.0004
EPSS Percentile 13.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
remyandrade/ai_font_matcher 2025-10-10
Published Nov 17, 2025
Tracked Since Feb 18, 2026