New to Telerik UI for Blazor? Start a free 30-day trial
PDF Viewer Cross-site Scripting (XSS) Vulnerability (2025-6725)
Updated on Jul 2, 2025
Environment
| Product | PDF Viewer for Blazor |
| Version | From 3.6.0 to 9.0.0 |
Description
This is a security notification that explains how to mitigate a cross-site scripting (XSS) vulnerability CVE-2025-6725 in the Telerik PDF Viewer component for Blazor.
- The weakness ID is CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
- The vulnerability CVSS score is
5.4(medium).
The XSS vulnerability can be exploited if a specially-crafted document is already loaded and the user engages with a tool that requires the DOM in the PDF Viewer to re-render.
Solution
If your Blazor app uses the Telerik PDF Viewer, then upgrading Telerik UI for Blazor to version 9.1.0 or later is strongly recommended.
All customers with a Telerik license can:
- Access the Downloads page in their Telerik account.
- Reference NuGet packages on the Telerik NuGet server.
Notes
- If you do not use the PDF Viewer in your application, the application is not vulnerable.
- If you have any questions or concerns related to this issue, open a new technical support ticket from the Telerik Support Center. Technical support is available to customers with an active license and support plan.
- We would like to thank Harmen van Keimpema for responsibly disclosing this vulnerability.