CVE-2025-59430: Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink
The lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrary JavaScript code within the context of the parent page.
References
- github.com/FrontFin/mesh-web-sdk
- github.com/FrontFin/mesh-web-sdk/blob/cf013b85ab95d64c63cbe46d6cb14695474924e7/packages/link/src/Link.ts
- github.com/FrontFin/mesh-web-sdk/commit/7f22148516d58e21a8b7670dde927d614c0d15c2
- github.com/FrontFin/mesh-web-sdk/security/advisories/GHSA-vh3f-qppr-j97f
- github.com/advisories/GHSA-vh3f-qppr-j97f
- nvd.nist.gov/vuln/detail/CVE-2025-59430
Code Behaviors & Features
Detect and mitigate CVE-2025-59430 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →