8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-46827

GHSA ID

GHSA-76vf-mpmx-777j

EPSS Score

0.10898%

CWE

CWE-79

Published

5/7/2025

Updated

5/13/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-46827

CVE-2025-46827: Graylog Allows Session Takeover via Insufficient HTML Sanitization

Impact

It is possible to obtain user session cookies by submitting an HTML form as part of an Event Definition Remediation Step field. For this attack to succeed, the attacker needs a user account with permissions to create event definitions, while the user must have permissions to view alerts. Additionally, an active Input must be present on the Graylog server that is capable of receiving form data (e.g. a HTTP input, TCP raw or syslog etc).

Patches

Workarounds

None, as long as the relatively rare prerequisites are met.

Analysis provided by Fabian Yamaguchi - Whirly Labs (Pty) Ltd

(GitHub Advisory)

8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-46827

GHSA ID

GHSA-76vf-mpmx-777j

EPSS Score

0.10898%

CWE

CWE-79

Published

5/7/2025

Updated

5/13/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.graylog2:graylog2-server	maven	<= 6.0.13	6.0.14
org.graylog2:graylog2-server	maven	>= 6.1.0, <= 6.1.9	6.1.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows session takeover via insufficient HTML sanitization, specifically in the 'Event Definition Remediation Step field'. The analysis of the patches shows two main areas of concern:

Backend DTOs: Methods like org.graylog.events.processor.EventDefinitionDto.remediationSteps() (and similarly description() in content pack DTOs) were patched to add @JsonSerialize(converter = HTMLSanitizerConverter.class). This indicates that previously, these methods returned raw strings which, when serialized to JSON for the frontend, would include any malicious HTML/JavaScript. This unsanitized data is the core of the vulnerability on the backend side.
Frontend Components: The Markdown.tsx component, likely used for rendering these fields, had its sanitization logic (using DOMPurify and marked) strengthened. This implies its previous sanitization was insufficient. Additionally, markdown editor components like MDBaseEditor.tsx (and its consumers Editor.tsx, EditorModal.tsx) had sanitization added/enhanced for input events like onBlur and onPaste.

The exploitation occurs when an attacker submits HTML in a field like 'Remediation Steps', which is then stored and later rendered to a victim. The identified backend functions are responsible for providing this data for serialization without prior sanitization. The identified frontend component (Markdown) is responsible for rendering this data, and its previous state allowed script execution. The editor component (MDBaseEditor) was involved in the input phase.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It is possi*l* to o*t*in us*r s*ssion *ooki*s *y su*mittin* *n *TML *orm *s p*rt o* *n *v*nt ***inition R*m**i*tion St*p *i*l*. *or t*is *tt**k to su*****, t** *tt**k*r n***s * us*r ***ount wit* p*rmissions to *r**t* *v*nt ***initions, w*

Reasoning

T** vuln*r**ility *llows s*ssion t*k*ov*r vi* insu**i*i*nt *TML s*nitiz*tion, sp**i*i**lly in t** '*v*nt ***inition R*m**i*tion St*p *i*l*'. T** *n*lysis o* t** p*t***s s*ows two m*in *r**s o* *on**rn: *. ***k*n* *TOs: M*t*o*s lik* `or*.*r*ylo*.*v*nt

8

Basic Information

Concerned about an active attack path?

CVE-2025-46827: Graylog Allows Session Takeover via Insufficient HTML Sanitization

Impact

Patches

Workarounds

8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI