Medium (5.9) CVE-2025-67231

TDSA-2025-003

Reflected Cross-Site Scripting (XSS) Vulnerability

Details Published:

Product
ToDesktop Builder
Affected Versions
ToDesktop Builder before 0.33.1
Fixed In
0.33.1
Credited To
Hunter Wodzenski

Most likely, no action is required

If you have automatic security updates enabled (the default), your application has already been updated automatically. End-users will receive the fix automatically when using your app. No action is required.

What if I have disabled automatic security updates?

The small number of users who have explicitly disabled automatic security updates have been contacted directly by our team to ensure their apps are updated.

For reference, the manual update steps are:

  1. Update ToDesktop Builder to version 0.33.1 or later
  2. Rebuild your application
  3. Release a new version of your app to your users

Summary

A Reflected Cross-Site Scripting (XSS) vulnerability (CWE-79) was identified in the custom URL protocol handler of applications built with ToDesktop Builder before version 0.33.1. This vulnerability allows attackers to craft a malicious protocol link that executes arbitrary JavaScript in the context of the application’s offline page, with access to the ToDesktop API.

This issue was proactively identified through our Vulnerability Disclosure Program and resolved before any known exploitation occurred.

Impact

  • Severity: Medium (CVSS 4.0: 5.9)
  • Attack Vector: Network-based, requires user interaction with a malicious link
  • Potential Impact: An attacker could craft a malicious custom protocol link that, when clicked by a user, executes arbitrary JavaScript code with access to the ToDesktop API. This could be leveraged to perform unauthorized actions such as opening malicious pages in the user’s browser.

Technical Details

Applications built with affected versions of ToDesktop Builder were susceptible to reflected XSS attacks via the custom URL protocol handler. When the offline screen is enabled, user-supplied input in the protocol URL was not properly sanitized before being rendered, allowing an attacker to inject malicious scripts that execute when a user clicks a crafted link.

CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Timeline

All timestamps are in Coordinated Universal Time (UTC).

Date and Time Event
September 25th, 2025 1:42am Vulnerability reported by Hunter Wodzenski.
September 26th, 2025 11:30pm Fixed version of ToDesktop Builder released.

References