CVE-2025-47204: Bootstrap Multiselect Vulnerable to CSRF and Reflective XSS via Arbitrary POST Data

May 13, 2025 (updated May 15, 2025)

An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. A PHP script in the source code echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting (XSS) vulnerability exploitable through Cross-Site Request Forgery (CSRF).

References

github.com/advisories/GHSA-gv5r-9gxr-v74w
github.com/davidstutz/bootstrap-multiselect
github.com/davidstutz/bootstrap-multiselect/releases
github.com/projectdiscovery/nuclei-templates/commit/11e1a6c11d3954f44acfb0274b6dad4bd8045103
nvd.nist.gov/vuln/detail/CVE-2025-47204

Code Behaviors & Features

Detect and mitigate CVE-2025-47204 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →