External risk intelligence

MISP Workflow Execution Path XSS Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2025-67906

MISP (Malware Information Sharing Platform) is a web-based application designed to be accessed and used by teams to share threat intelligence. It is commonly deployed as a web application reachable over a network, making its web interface a standard, intentionally exposed component for user access.

Cross-site Scripting

Misp Project Misp

before 2.5.28

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in the MISP platform that could allow for cross-site scripting within workflow execution paths. This means that a malicious actor could potentially inject harmful code through the platform's workflow features, impacting users interacting with those workflows. The main concern is confirming relevance and exposure.

  • Injects malicious code via workflows.
  • Impacts users interacting with workflows.
  • Confirm relevance and understand exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit a cross-site scripting vulnerability in the workflow execution path of MISP. This would likely begin with an unauthenticated attacker targeting a user of the MISP application. By tricking a logged-in user into interacting with a specially crafted link or input, the attacker could inject malicious scripts that execute within the user's browser, potentially leading to the theft of sensitive information or unauthorized actions.

  • Requires user interaction.
  • Inject script into workflow path.
  • Widespread data compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for cross-site scripting (XSS) within the workflow execution path of MISP. When a user with lower privileges interacts with a specially crafted workflow, malicious scripts could be injected and executed in their browser. This could potentially lead to unauthorized actions being performed on behalf of the user.

  • User session data could be exposed.
  • Malicious scripts may execute in browser.
  • Unauthorized actions could be performed.

Operational Fix

Recommended remediation, mitigation, and detection steps

The MISP application owner is responsible for addressing this cross-site scripting vulnerability. The first practical step is to identify all deployed MISP instances, confirm their network reachability and business criticality, and then assign an owner for remediation planning.

  • Identify and assign MISP instance owners.
  • Verify network exposure and business criticality.
  • Plan remediation with vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MISP?

MISP, or the Malware Information Sharing Platform, is a web-based application used by organizations to collaboratively collect, store, and distribute technical threat intelligence. It serves as a central hub where security teams document indicators of compromise and share research on emerging threats, making it an essential tool for coordinated defensive operations.

What does CWE-79 mean for CVE-2025-67906?

CWE-79 refers to Improper Neutralization of Input During Web Page Generation, commonly known as Cross-Site Scripting (XSS). In the context of CVE-2025-67906, this means the software fails to properly sanitize user-supplied data within its workflow execution path. As a result, an attacker can embed malicious scripts that run inside the browsers of other users who view the affected workflow page, allowing the script to act as if it were the legitimate user.

How is this MISP vulnerability triggered?

Triggering this flaw requires a logged-in user to interact with a specially crafted workflow component. The vulnerability is not triggered by simply visiting the platform; it relies on the execution of the workflow feature where the unsafe data is processed. If a user does not view or interact with a compromised workflow path, the malicious script remains dormant.

Is my MISP instance at risk according to Halo Surface Signal?

Halo Surface Signal flags this as likely relevant because MISP is inherently a network-connected application designed for collaborative sharing. Since the platform's primary purpose is to be accessible over a network by authorized teams, the web interface is naturally exposed. Organizations should treat any internet-facing MISP deployment as having a higher potential for interaction with untrusted sources.

How do I start addressing this CVE?

The immediate priority is to locate all MISP installations across your infrastructure and determine who is responsible for managing them. Once identified, verify if those instances are running a version earlier than 2.5.28, which contains the fix. Coordinate with your team to plan an upgrade to the latest stable version, as this is the standard method for resolving known application-level code weaknesses.

References