PDFViewer Cross-Site Scripting (XSS) Vulnerability (6725)
Environment
Product | Progress® Kendo UI® PDFViewer for Angular |
Description
Security Notification - July 2025 - CVE-2025-6725
- Progress® Kendo® UI for Angular PDFViewer (18.5.0)
What Are the Impacts
The PDFViewer component has a Cross-Site Scripting (XSS) vulnerability that can be exploited if a specially-crafted document is loaded and the user interacts with a tool that requires the DOM to be re-rendered. This could allow an attacker to execute arbitrary JavaScript code in the context of the user's session, potentially leading to data theft or other malicious actions.
Issue
The vulnerability is classified as a Cross-Site Scripting (XSS) issue, which falls under the category of:
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting' or 'XSS').
Solution
We have addressed the issue and the Progress team strongly recommends performing an upgrade to at least version 19.2.0
. The update will ensure that your application is secure against this vulnerability if PDFViewer is installed.
Affected Versions | Update to |
---|---|
>= v18.5.0 && <= v19.1.2 | >= v19.2.0 |
To update your application, follow the standard upgrade process for Kendo UI for Angular components. This typically involves updating the packages version in your package.json
file.
You can run the following script to update all @progress
packages to the latest version in the package.json
file. The script will only change the version of the pacakges, but will not install them. After running the script, you will need to run npm install
or yarn install
to apply the changes:
npx npm-check-updates --upgrade --filter "/@progress.*/"
Notes
- If you do not use the PDFViewer in your application, the application is not vulnerable.
- If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to customers with an active support plan.
External References
- CVE-2025-6725 (MEDIUM)
- CVSS: 5.4