Home > Vulnerability Database > CVE-2025-27608

Mend.io Vulnerability Database

CVE-2025-27608

Good to know:

Date: April 2, 2025

Arduino IDE 2.x is an IDE based on the Theia IDE framework and built with Electron. A Self Cross-Site Scripting (XSS) vulnerability has been identified within the Arduino-IDE prior to version v2.3.5. The vulnerability occurs in the Additional Board Manager URLs field, which can be found in the Preferences -> Settings section of the Arduino IDE interface. In the vulnerable versions, any values entered in this field are directly displayed to the user through a notification tooltip object, without a proper output encoding routine, due to the underlying ElectronJS engine interpretation. This vulnerability exposes the input parameter to Self-XSS attacks, which may lead to security risks depending on where the malicious payload is injected. This vulnerability is fixed in 2.3.5.

Severity Score

5.0

Related Resources (4)

Url: https://github.com/arduino/arduino-ide/commit/d298b3ffc94008e89066cd999d891e84190da18f

Url: https://github.com/arduino/arduino-ide/security/advisories/GHSA-252h-4j5q-88pc

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-27608

Url: https://www.mend.io/vulnerability-database/CVE-2025-27608

Severity Score

5.0

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version https://github.com/arduino/arduino-ide.git - 2.3.5

Learn More

CVSS v3.1

Base Score:	5.0
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-27608

Good to know:

Date: April 2, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?