Overview
Label Studio allows Cross-Site Scripting (XSS) via GET request to `/projects/upload-example` endpoint
Advisory
Label Studio allows Cross-Site Scripting (XSS) via GET request to `/projects/upload-example` endpoint
How to Fix
Upgrade
label-studio
to1.16.0
or higher.Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250214-66582/CVE-2025-25296
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25296
- https://github.com/advisories/GHSA-wpq5-3366-mqw4
- https://github.com/HumanSignal/label-studio/security/advisories/GHSA-wpq5-3366-mqw4
- https://github.com/HumanSignal/label-studio/commit/8cf6958e1e27ef6a03ed287e674470975d340885
- https://nvd.nist.gov/vuln/detail/CVE-2025-25296
- https://github.com/advisories/GHSA-wpq5-3366-mqw4
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more