CVE-2025-64744 - Vulnerability Details - OpenCVE

OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without proper HTML escaping. As of time of publication, no patched versions are available.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Openobserve	Openobserve

No data.

No data.

References

Link	Providers
https://github.com/openobserve/openobserve/security/advisories/GHSA-3jpx-57gj-w458

History

Fri, 14 Nov 2025 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openobserve Openobserve openobserve
Vendors & Products		Openobserve Openobserve openobserve

Thu, 13 Nov 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 13 Nov 2025 20:45:00 +0000

Type	Values Removed	Values Added
Description		OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without proper HTML escaping. As of time of publication, no patched versions are available.
Title		OpenObserve Vulnerable to HTML Injection in Organization Invitation Emails
Weaknesses		CWE-79
References		https://github.com/openobserve/openobserve/security/advisories/GHSA-3jpx-57gj-w458
Metrics		cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-11-13T20:30:20.960Z

Updated: 2025-11-13T21:14:33.407Z

Reserved: 2025-11-10T22:29:34.871Z

Link: CVE-2025-64744

Vulnrichment

Updated: 2025-11-13T21:14:21.734Z

NVD

Status : Awaiting Analysis

Published: 2025-11-13T21:15:54.073

Modified: 2025-11-14T16:42:03.187

Link: CVE-2025-64744

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64744", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-11-10T22:29:34.871Z", "datePublished": "2025-11-13T20:30:20.960Z", "dateUpdated": "2025-11-13T21:14:33.407Z"}, "containers": {"cna": {"title": "OpenObserve Vulnerable to HTML Injection in Organization Invitation Emails", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openobserve/openobserve/security/advisories/GHSA-3jpx-57gj-w458", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-3jpx-57gj-w458"}], "affected": [{"vendor": "openobserve", "product": "openobserve", "versions": [{"version": "<= 0.16.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-13T20:30:20.960Z"}, "descriptions": [{"lang": "en", "value": "OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without proper HTML escaping. As of time of publication, no patched versions are available."}], "source": {"advisory": "GHSA-3jpx-57gj-w458", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-13T21:14:16.774486Z", "id": "CVE-2025-64744", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T21:14:33.407Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-64744", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-13T21:14:16.774486Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T21:14:21.734Z"}}], "cna": {"title": "OpenObserve Vulnerable to HTML Injection in Organization Invitation Emails", "source": {"advisory": "GHSA-3jpx-57gj-w458", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "openobserve", "product": "openobserve", "versions": [{"status": "affected", "version": "<= 0.16.1"}]}], "references": [{"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-3jpx-57gj-w458", "name": "https://github.com/openobserve/openobserve/security/advisories/GHSA-3jpx-57gj-w458", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without proper HTML escaping. As of time of publication, no patched versions are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-13T20:30:20.960Z"}}}, "cveMetadata": {"cveId": "CVE-2025-64744", "state": "PUBLISHED", "dateUpdated": "2025-11-13T21:14:33.407Z", "dateReserved": "2025-11-10T22:29:34.871Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-11-13T20:30:20.960Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}