SCA: security update for label-studio (GHSA-wpq5-3366-mqw4)

medium Tenable Cloud Security Plugin ID 420908

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's
`/projects/upload-example` endpoint allows injection of arbitrary HTML through a `GET` request with an
appropriately crafted `label_config` query parameter. By crafting a specially formatted XML label config
with inline task data containing malicious HTML/JavaScript, an attacker can achieve Cross-Site Scripting
(XSS). While the application has a Content Security Policy (CSP), it is only set in report-only mode,
making it ineffective at preventing script execution. The vulnerability exists because the upload-example
endpoint renders user-provided HTML content without proper sanitization on a GET request. This allows
attackers to inject and execute arbitrary JavaScript in victims' browsers by getting them to visit a
maliciously crafted URL. This is considered vulnerable because it enables attackers to execute JavaScript
in victims' contexts, potentially allowing theft of sensitive data, session hijacking, or other malicious
actions. Version 1.16.0 contains a patch for the issue. (CVE-2025-25296)

See Also

https://github.com/advisories/GHSA-wpq5-3366-mqw4

Plugin Details

Severity: Medium

ID: 420908

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 2/14/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-25296

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/14/2025

Vulnerability Publication Date: 2/14/2025

Reference Information

CVE: CVE-2025-25296

cwe: CWE-79