Vulnerability Description
Mesh Connect JS SDK contains JS libraries for integrating with Mesh Connect. Prior to version 3.3.2, the lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrary JavaScript code within the context of the parent page. This is technically indistinguishable from a real page at the rendering level and allows access to the parent page DOM, storage, session, and cookies. If the attacker can specify customIframeId, they can hijack the source of existing iframes. This issue has been patched in version 3.3.2.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/FrontFin/mesh-web-sdk/blob/cf013b85ab95d64c63cbe46d6cb1469547
- https://github.com/FrontFin/mesh-web-sdk/commit/7f22148516d58e21a8b7670dde927d61
- https://github.com/FrontFin/mesh-web-sdk/pull/124
- https://github.com/FrontFin/mesh-web-sdk/security/advisories/GHSA-vh3f-qppr-j97f
FAQ
What is CVE-2025-59430?
CVE-2025-59430 is a vulnerability with a CVSS score of 8.2 (HIGH). Mesh Connect JS SDK contains JS libraries for integrating with Mesh Connect. Prior to version 3.3.2, the lack of sanitization of URLs protocols in the createLink.openLink function enables the executio...
How severe is CVE-2025-59430?
CVE-2025-59430 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-59430?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.