New to Telerik UI for BlazorStart a free 30-day trial

PDF Viewer Cross-site Scripting (XSS) Vulnerability (2025-6725)

Updated on Jul 2, 2025

Environment

ProductPDF Viewer for Blazor
VersionFrom 3.6.0 to 9.0.0

Description

This is a security notification that explains how to mitigate a cross-site scripting (XSS) vulnerability CVE-2025-6725 in the Telerik PDF Viewer component for Blazor.

The XSS vulnerability can be exploited if a specially-crafted document is already loaded and the user engages with a tool that requires the DOM in the PDF Viewer to re-render.

Solution

If your Blazor app uses the Telerik PDF Viewer, then upgrading Telerik UI for Blazor to version 9.1.0 or later is strongly recommended.

All customers with a Telerik license can:

Notes

  • If you do not use the PDF Viewer in your application, the application is not vulnerable.
  • If you have any questions or concerns related to this issue, open a new technical support ticket from the Telerik Support Center. Technical support is available to customers with an active license and support plan.
  • We would like to thank Harmen van Keimpema for responsibly disclosing this vulnerability.

See Also