{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2025-68467", "tracking": { "current_release_date": "2026-03-28T15:21:48.976792Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2025-68467", "initial_release_date": "2026-03-04T18:56:50.789915Z", "revision_history": [ { "date": "2026-03-04T18:56:50.789915Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-04T18:56:54.802483Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-04T22:25:18.373121Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-03-04T22:25:20.451548Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-04T22:39:39.890299Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-04T22:39:41.691412Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-05T00:21:04.532740Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-05T14:47:36.342876Z", "number": "8", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-05T14:47:42.178897Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-03-05T16:16:06.996759Z", "number": "10", "summary": "References created (1)." }, { "date": "2026-03-05T18:20:57.083017Z", "number": "11", "summary": "References created (1)." }, { "date": "2026-03-10T18:39:29.975031Z", "number": "12", "summary": "Unknown change." }, { "date": "2026-03-10T18:39:39.687317Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-03-18T15:27:29.452666Z", "number": "14", "summary": "Products connected (1).| Product Identifiers created (1)." }, { "date": "2026-03-18T15:27:37.447442Z", "number": "15", "summary": "NCSC Score updated." }, { "date": "2026-03-19T20:16:57.011030Z", "number": "16", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-19T20:17:00.041008Z", "number": "17", "summary": "NCSC Score updated." } ], "status": "interim", "version": "17" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<4.9.117", "product": { "name": "vers:unknown/<4.9.117", "product_id": "CSAFPID-5759409", "product_identification_helper": { "cpe": "cpe:2.3:a:darkreader:darkreader:*:*:*:*:*:*:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<4.9.117", "product": { "name": "vers:unknown/>=0|<4.9.117", "product_id": "CSAFPID-5759803" } } ], "category": "product_name", "name": "darkreader" } ], "category": "vendor", "name": "darkreader" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-68467", "cwe": { "id": "CWE-346", "name": "Origin Validation Error" }, "notes": [ { "category": "description", "text": "### Description\nDark Reader versions prior to 4.9.117 included a behavior where a website could request a style sheet from a locally running web server, for example `http://localhost:8080/style.css`, If an address was available and returned a `text/css` content type.\n\n### Patches\nThe problem was fixed in version 4.9.117, released on December 3, 2025. Most users received the update automatically. Users running manual builds must upgrade to version 4.9.117 or later.\n\nThe installed extension version number can be verified in Dark Reader's menu (More > All settings > About), browser settings, `chrome://extensions` or `about:addons` pages.\n\nUsers are encouraged not to disable automatic extension updates and use the latest browser version, as browser releases typically include multiple security fixes of varying severity.\n\n### NPM package\n\nThe issue does not affect developers using the `darkreader` NPM package for website integration. Developers using the `setFetchMethod()` API must ensure the cross-origin requests are restricted to the intended scope.\n\n### Custom forks\n\nDevelopers using custom forks of earlier versions of Dark Reader to build other extensions, or integrating it into their apps or browsers, should review their implementation to ensure cross-origin requests are handled securely.\n\n### Acknowledgements\nSecurity research performed by [Brian Carpenter](https://x.com/geeknik) - [Deep Fork Cyber](https://deepforkcyber.com/).", "title": "github - https://github.com/advisories/GHSA-x369-mcw8-8rvj" }, { "category": "description", "text": "Dark Reader is an accessibility browser extension that makes web pages colors dark. The dynamic dark mode feature of the extension works by analyzing the colors of web pages found in CSS style sheet files. In order to analyze cross-origin style sheets (stored on websites different from the original web page), Dark Reader requests such files via a background worker, ensuring the request is performed with no credentials and that the content type of the response is a CSS file. Prior to Dark Reader 4.9.117, this style content was assigned to an HTML Style Element in order to parse and loop through style declarations, and also stored in page's Session Storage for performance gains. This could allow a website author to request a style sheet from a locally running web server, for example by having a link pointing to `http[:]//localhost[:]8080/style[.]css`. The brute force of the host name, port and file name would be unlikely due to performance impact, that would cause the browser tab to hang shortly, but it could be possible to request a style sheet if the full URL was known in advance. As per December 18, 2025 there is no known exploit of the issue. The problem has been fixed in version 4.9.117 on December 3, 2025. The style sheets are now parsed using modern Constructed Style Sheets API and the contents of cross-origin style sheets is no longer stored in page's Session Storage. Version 4.9.118 (December 8, 2025) restricts cross-origin requests to localhost aliases, IP addresses, hosts with ports and non-HTTPS resources. The absolute majority of users have received an update 4.1.117 or 4.9.118 automatically within a week. However users must ensure their automatic updates are not blocked and they are using the latest version of the extension by going to chrome://extensions or about:addons pages in browser settings. Users utilizing manual builds must upgrade to version 4.9.118 and above. Developers using `darkreader` NPM package for their own websites are likely not affected, but must ensure the function passed to `setFetchMethod()` for performing cross-origin requests works within the intended scope. Developers using custom forks of earlier versions of Dark Reader to build other extensions or integrating into their apps or browsers must ensure they perform cross-origin requests safely and the responses are not accessible outside of the app or extension.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2025-68467" }, { "category": "description", "text": "Dark Reader is an accessibility browser extension that makes web pages colors dark. The dynamic dark mode feature of the extension works by analyzing the colors of web pages found in CSS style sheet files. In order to analyze cross-origin style sheets (stored on websites different from the original web page), Dark Reader requests such files via a background worker, ensuring the request is performed with no credentials and that the content type of the response is a CSS file. Prior to Dark Reader 4.9.117, this style content was assigned to an HTML Style Element in order to parse and loop through style declarations, and also stored in page's Session Storage for performance gains. This could allow a website author to request a style sheet from a locally running web server, for example by having a link pointing to `http[:]//localhost[:]8080/style[.]css`. The brute force of the host name, port and file name would be unlikely due to performance impact, that would cause the browser tab to hang shortly, but it could be possible to request a style sheet if the full URL was known in advance. As per December 18, 2025 there is no known exploit of the issue. The problem has been fixed in version 4.9.117 on December 3, 2025. The style sheets are now parsed using modern Constructed Style Sheets API and the contents of cross-origin style sheets is no longer stored in page's Session Storage. Version 4.9.118 (December 8, 2025) restricts cross-origin requests to localhost aliases, IP addresses, hosts with ports and non-HTTPS resources. The absolute majority of users have received an update 4.1.117 or 4.9.118 automatically within a week. However users must ensure their automatic updates are not blocked and they are using the latest version of the extension by going to chrome://extensions or about:addons pages in browser settings. Users utilizing manual builds must upgrade to version 4.9.118 and above. Developers using `darkreader` NPM package for their own websites are likely not affected, but must ensure the function passed to `setFetchMethod()` for performing cross-origin requests works within the intended scope. Developers using custom forks of earlier versions of Dark Reader to build other extensions or integrating into their apps or browsers must ensure they perform cross-origin requests safely and the responses are not accessible outside of the app or extension.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2025-68467" }, { "category": "description", "text": "### Description\nDark Reader versions prior to 4.9.117 included a behavior where a website could request a style sheet from a locally running web server, for example `http://localhost:8080/style.css`, If an address was available and returned a `text/css` content type.\n\n### Patches\nThe problem was fixed in version 4.9.117, released on December 3, 2025. Most users received the update automatically. Users running manual builds must upgrade to version 4.9.117 or later.\n\nThe installed extension version number can be verified in Dark Reader's menu (More > All settings > About), browser settings, `chrome://extensions` or `about:addons` pages.\n\nUsers are encouraged not to disable automatic extension updates and use the latest browser version, as browser releases typically include multiple security fixes of varying severity.\n\n### NPM package\n\nThe issue does not affect developers using the `darkreader` NPM package for website integration. Developers using the `setFetchMethod()` API must ensure the cross-origin requests are restricted to the intended scope.\n\n### Custom forks\n\nDevelopers using custom forks of earlier versions of Dark Reader to build other extensions, or integrating it into their apps or browsers, should review their implementation to ensure cross-origin requests are handled securely.\n\n### Acknowledgements\nSecurity research performed by [Brian Carpenter](https://x.com/geeknik) - [Deep Fork Cyber](https://deepforkcyber.com/).", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-x369-mcw8-8rvj.json?alt=media" }, { "category": "other", "text": "0.00016", "title": "EPSS" }, { "category": "other", "text": "4.4", "title": "NCSC Score" }, { "category": "other", "text": "Is related to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), Is related to CWE-346 (Origin Validation Error)", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "The value of the most recent EPSS score, The value of the most recent CVSS (V3) score", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5759409", "CSAFPID-5759803" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-x369-mcw8-8rvj" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-x369-mcw8-8rvj" }, { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68467" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-68467" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2025-68467" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2025/68xxx/CVE-2025-68467.json" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-x369-mcw8-8rvj.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68467" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=10000" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/darkreader/darkreader/security/advisories/GHSA-x369-mcw8-8rvj" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-x369-mcw8-8rvj" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68467" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "baseScore": 3.4, "baseSeverity": "LOW" }, "products": [ "CSAFPID-5759409", "CSAFPID-5759803" ] } ], "title": "CVE-2025-68467" } ] }