CVE-2025-30223

CVE-2025-30223 is a Cross-Site Scripting (XSS) vulnerability in Beego, an open-source web framework for the Go programming language. Prior to version 2.3.6, the RenderForm() function fails to properly escape user-controlled data when generating HTML form markup, allowing arbitrary JavaScript injection. This issue, classified under CWE-79, carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) due to its network accessibility, low complexity, lack of required privileges, reliance on user interaction, cross-scope impact, and high confidentiality and integrity effects. It impacts any Beego-based application that invokes RenderForm() with untrusted input, as developers may incorrectly assume automatic attribute escaping akin to other frameworks.

Attackers can exploit this vulnerability remotely without authentication by tricking users into interacting with a maliciously crafted form rendered via RenderForm(). Upon execution in the victim's browser, the injected JavaScript can steal session cookies, credentials, or perform account takeovers, enabling further actions like data exfiltration or unauthorized actions on the victim's behalf. The changed scope (S:C) amplifies risks, as exploitation occurs in the browser context rather than the server.

The vulnerability is addressed in Beego version 2.3.6, where the RenderForm() function now properly escapes user-controlled data. Official mitigation guidance is available in the Beego security advisory at https://github.com/beego/beego/security/advisories/GHSA-2j42-h78h-q4fg and the fixing commit at https://github.com/beego/beego/commit/939bb18c66406466715ddadd25dd9ffa6f169e25; practitioners should upgrade immediately and audit uses of RenderForm() in existing applications.