CVE-2025-66629

LOW

HedgeDoc <1.10.4 - CSRF

Title source: llm

Description

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.4, some of HedgeDoc's OAuth2 endpoints for social login providers such as Google, GitHub, GitLab, Facebook or Dropbox lack CSRF protection, since they don't send a state parameter and verify the response using this parameter. This vulnerability is fixed in 1.10.4.

References (2)

Scores

CVSS v3 3.7
EPSS 0.0002
EPSS Percentile 4.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Classification

CWE
CWE-352
Status published

Affected Products (1)

hedgedoc/hedgedoc < 1.10.4

Timeline

Published Dec 05, 2025
Tracked Since Feb 18, 2026