CVE-2025-25296 - Label Studio Cross-Site Scripting (XSS) Vulnerability in Projects Upload-Example Endpoint Prior to Version 1.16.

Label Studio is a popular open-source data labeling tool used by data scientists and machine learning engineers in various industries. Unfortunately, prior to version 1.16., Label Studio's /projects/upload-example endpoint was found to be vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate HTML sanitization.

Vulnerability Details

The vulnerability, tracked as CVE-2025-25296, is caused by the /projects/upload-example endpoint allowing the injection of arbitrary HTML through a GET request with a specially crafted label_config query parameter. Attackers can create a malicious XML label config with inline task data containing harmful HTML/JavaScript, achieving XSS.

In particular, the Label Studio application features a Content Security Policy (CSP), but it is only set in report-only mode, rendering it ineffective at stopping script execution. As a result, attackers can exploit the vulnerability by luring victims to a maliciously crafted URL, allowing them to execute JavaScript in the victims' browsers. This can lead to the theft of sensitive data, session hijacking, or other harmful actions.

Say, an attacker crafts a malicious URL with the following code snippet

<label-value key="user_data">
  <![CDATA[
    <script>alert("XSS")</script>
  ]]>
</label-value>

A victim visiting this URL would trigger the execution of the malicious JavaScript code embedded within the XML label config, causing an alert to pop up in their browser, signaling a successful exploit of the XSS vulnerability.

Mitigation

The issue has been addressed in Label Studio version 1.16., which contains a patch to ensure proper sanitization of user-provided HTML content on GET requests to the /projects/upload-example endpoint. It is strongly recommended for users to update their Label Studio installations to the latest version to avoid falling victim to XSS attacks.

Links to Original References

- Label Studio GitHub Repository: https://github.com/heartexlabs/label-studio
- Label Studio Changelog (v1.16.): https://github.com/heartexlabs/label-studio/blob/master/CHANGELOG.md
- CVE-2025-25296 at NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25296

Conclusion

CVE-2025-25296 is a critical XSS vulnerability present in Label Studio prior to version 1.16.. Attackers can take advantage of this vulnerability to steal sensitive data, hijack sessions, or perform other malicious actions. Upgrading to Label Studio 1.16. or later is crucial to prevent potential exploits and secure your application.

Timeline

Published on: 02/14/2025 20:15:36 UTC