New to Kendo UI for AngularStart a free 30-day trial

PDFViewer Cross-Site Scripting (XSS) Vulnerability (6725)

Environment

ProductProgress® Kendo UI® PDFViewer for Angular

Description

Security Notification - July 2025 - CVE-2025-6725

  • Progress® Kendo® UI for Angular PDFViewer (18.5.0)

What Are the Impacts

The PDFViewer component has a Cross-Site Scripting (XSS) vulnerability that can be exploited if a specially-crafted document is loaded and the user interacts with a tool that requires the DOM to be re-rendered. This could allow an attacker to execute arbitrary JavaScript code in the context of the user's session, potentially leading to data theft or other malicious actions.

Issue

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, which falls under the category of:

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting' or 'XSS').

Solution

We have addressed the issue and the Progress team strongly recommends performing an upgrade to at least version 19.2.0. The update will ensure that your application is secure against this vulnerability if PDFViewer is installed.

Affected VersionsUpdate to
>= v18.5.0 && <= v19.1.2>= v19.2.0

To update your application, follow the standard upgrade process for Kendo UI for Angular components. This typically involves updating the packages version in your package.json file.

You can run the following script to update all @progress packages to the latest version in the package.json file. The script will only change the version of the pacakges, but will not install them. After running the script, you will need to run npm install or yarn install to apply the changes:

bash
npx npm-check-updates --upgrade --filter "/@progress.*/"

Notes

  • If you do not use the PDFViewer in your application, the application is not vulnerable.
  • If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to customers with an active support plan.

External References