CVE-2025-3019

CVE-2025-3019 is a set of cross-site scripting (XSS) vulnerabilities, classified under CWE-79, affecting KNIME Business Hub web pages. These flaws stem from a bug in the widely used nuxt-security module, as documented in GitHub issue #610. The vulnerabilities have a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, no required privileges, and cross-origin impact with limited confidentiality and integrity effects.

Attackers can exploit these XSS issues by crafting malicious links or web pages that, when accessed by a legitimate KNIME Business Hub user, trigger execution of arbitrary JavaScript in the victim's browser context. This grants the script the user's permissions, potentially enabling theft, loss, or modification of sensitive data within the application. No authentication is needed on the attacker's side, making it feasible for remote unauthenticated actors to target users via phishing or malicious sites.

The KNIME security advisory provides no viable workarounds and urges immediate updates to KNIME Business Hub version 1.13.3 or later, or 1.12.4 or later for affected branches. Full details are available at https://www.knime.com/security/advisories#CVE-2025-3019.