PDFViewer Cross-Site Scripting (XSS) Vulnerability (6725)

Environment

Description

Security Notification - July 2025 - CVE-2025-6725

• Progress® Kendo® UI for Angular PDFViewer (18.5.0)

What Are the Impacts

The PDFViewer component has a Cross-Site Scripting (XSS) vulnerability that can be exploited if a specially-crafted document is loaded and the user interacts with a tool that requires the DOM to be re-rendered. This could allow an attacker to execute arbitrary JavaScript code in the context of the user's session, potentially leading to data theft or other malicious actions.

Issue

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, which falls under the category of:

• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting' or 'XSS').

Solution

We have addressed the issue and the Progress team strongly recommends performing an upgrade to at least version 19.2.0. The update will ensure that your application is secure against this vulnerability if PDFViewer is installed.

To update your application, follow the standard upgrade process for Kendo UI for Angular components. This typically involves updating the packages version in your package.json file.

You can run the following script to update all @progress packages to the latest version in the package.json file. The script will only change the version of the pacakges, but will not install them. After running the script, you will need to run npm install or yarn install to apply the changes:

npx npm-check-updates --upgrade --filter "/@progress.*/"

Notes

• If you do not use the PDFViewer in your application, the application is not vulnerable.
• If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to customers with an active support plan.

External References

• CVE-2025-6725 (MEDIUM)
• CVSS: 5.4