Key Information Summary Vulnerability Overview CVE ID: CVE-2025-56683 Vulnerability Type: DOM-based Cross-Site Scripting (XSS) leading to Remote Code Execution (RCE) Affected Product: Logseq Application Technical Details 1. DOM-based XSS Vulnerability - File: - Line Number: 82 - Description: During processing of document location parameters, user input is not adequately validated or encoded, allowing attackers to inject JavaScript code via malicious URLs. - Exploitation: Attackers can trigger XSS by crafting URLs such as . 2. Missing Protocol Validation - File: - Line Number: 123 - Description: The function does not validate the URL protocol before calling , permitting URLs with arbitrary protocols to be opened. - Exploitation: Attackers can construct URLs like or , leading to local file disclosure or remote script loading. CVSS v3.1 Score Base Score: 9.0 (Critical) Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Proof of Concept (PoC) Environment: Logseq Desktop Application v0.0.9, Windows 10 Steps: 1. Launch the Logseq application. 2. Install and activate the plugin. 3. Construct a URL using . 4. Upon execution, a browser alert box will pop up. Recommended Mitigation Measures 1. Strictly validate and encode content retrieved from query parameters. 2. Implement a protocol whitelist to restrict the types of URLs that can be opened. Vendor Response and Patch Information The Logseq team has acknowledged the vulnerability and released a patched version. The patch includes security checks and the introduction of a protocol whitelist. Timeline 2023-04-23: Vulnerability discovered and reported to Logseq support team. 2023-04-24: Vulnerability confirmed and remediation initiated. 2023-04-28: Patch released. 2023-05-10: Security advisory publicly disclosed.