CVE-2025-25296: Label Studio reflected XSS

CISO Take

Upgrade Label Studio to 1.16.0 immediately on any instance accessible to annotation teams. This reflected XSS requires zero privileges—an attacker sends a crafted URL to an annotator, steals their session, and gains full access to annotation projects and training datasets. Organizations handling sensitive or proprietary ML training data via Label Studio should treat this as high operational priority despite the medium CVSS score.

What is the risk?

CVSS 6.1 understates operational risk in ML pipeline contexts. Label Studio routinely handles proprietary training datasets, PII, and sensitive labeling work. The CSP is configured in report-only mode—effectively disabled—removing a critical defense layer. No authentication is required; the only barrier is user interaction with a malicious link. Organizations with internet-exposed or multi-user Label Studio deployments face meaningful risk of session hijacking and training data exfiltration.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Label Studio	pip	< 1.16.0	`1.16.0`
27.7K 1 dependents Pushed 4d ago 71% patched ~145d to patch Full package profile →

Do you use Label Studio? You're affected.

How severe is it?

CVSS 3.1

6.1 / 10

EPSS

1.8%

chance of exploitation in 30 days

Higher than 75% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Changed

C Low

I Low

A None

What should I do?

6 steps

Patch: Upgrade to Label Studio >= 1.16.0 immediately.
Workaround if patching is delayed: block external access to /projects/upload-example via WAF or reverse proxy rule rejecting GET requests with label_config parameters.
Enable CSP enforcement mode—remove the report-only flag from the Content-Security-Policy header.
Rotate all active session tokens on exposed instances.
Audit web server logs for anomalous GET requests to /projects/upload-example containing URL-encoded XML payloads.
Restrict Label Studio to VPN-only access if internet-exposed.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Training Data Framework AML.T0011.003 - Malicious Link AML.T0020 - Poison Training Data AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MANAGE-2.2 - Sustain value of deployed AI systems and manage residual negative risk

OWASP LLM Top 10

LLM05:2025 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2025-25296?

Upgrade Label Studio to 1.16.0 immediately on any instance accessible to annotation teams. This reflected XSS requires zero privileges—an attacker sends a crafted URL to an annotator, steals their session, and gains full access to annotation projects and training datasets. Organizations handling sensitive or proprietary ML training data via Label Studio should treat this as high operational priority despite the medium CVSS score.

Is CVE-2025-25296 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-25296, increasing the risk of exploitation.

How to fix CVE-2025-25296?

1. Patch: Upgrade to Label Studio >= 1.16.0 immediately. 2. Workaround if patching is delayed: block external access to /projects/upload-example via WAF or reverse proxy rule rejecting GET requests with label_config parameters. 3. Enable CSP enforcement mode—remove the report-only flag from the Content-Security-Policy header. 4. Rotate all active session tokens on exposed instances. 5. Audit web server logs for anomalous GET requests to /projects/upload-example containing URL-encoded XML payloads. 6. Restrict Label Studio to VPN-only access if internet-exposed.

What systems are affected by CVE-2025-25296?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data annotation workflows, ml data management.

What is the CVSS score for CVE-2025-25296?

CVE-2025-25296 has a CVSS v3.1 base score of 6.1 (MEDIUM). The EPSS exploitation probability is 1.78%.

What is the AI security impact?

Affected AI Architectures

training pipelinesdata annotation workflowsml data management

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link

AML.T0020 Poison Training Data

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

## Description Label Studio's `/projects/upload-example` endpoint allows injection of arbitrary HTML through a `GET` request with an appropriately crafted `label_config` query parameter. By crafting a specially formatted XML label config with inline task data containing malicious HTML/JavaScript, an attacker can achieve Cross-Site Scripting (XSS). While the application has a Content Security Policy (CSP), it is only set in report-only mode, making it ineffective at preventing script execution. The vulnerability exists because the upload-example endpoint renders user-provided HTML content without proper sanitization on a GET request. This allows attackers to inject and execute arbitrary JavaScript in victims' browsers by getting them to visit a maliciously crafted URL. This is considered vulnerable because it enables attackers to execute JavaScript in victims' contexts, potentially allowing theft of sensitive data, session hijacking, or other malicious actions. ## Steps to reproduce 1. Create a malicious label config that includes an XSS payload in embedded task data: ```xml <View><HyperText name="text" value="$text"/></View> ``` 2. URL encode the payload and access the following URL: - http://app/projects/upload-example/?label_config=%3CView%3E%3C!--%20{%22data%22:%20{%22text%22:%20%22%3Cdiv%3E%3Cimg%20src=x%20onerror=eval(atob(`YWxlcnQoIlhTUyIp`))%3E%3C/div%3E%22}}%20--%3E%3CHyperText%20name=%22text%22%20value=%22$text%22/%3E%3C/View%3E When executed, the payload causes the application to render an HTML page containing an img tag that fails to load, triggering the onerror event handler which executes base64-decoded JavaScript, demonstrating successful XSS execution in the victim's browser. ## Mitigations - Enable the Content Security Policy in enforcement mode instead of report-only mode to actively block unauthorized script execution - Deprecate the `GET` behavior at the `example-config` endpoint since it's not used ## Impact The vulnerability requires no special privileges and can be exploited by getting a victim to visit a crafted URL. The impact is high as it allows arbitrary JavaScript execution in victims' browsers, potentially exposing sensitive data or enabling account takeover through session theft.

Exploitation Scenario

An adversary targeting an organization's ML training pipeline uses Shodan or Censys to identify exposed Label Studio instances. They craft a GET URL to /projects/upload-example with a label_config parameter containing a base64-encoded JavaScript payload embedded in an XML HyperText config. The URL is delivered via spearphishing email to a data annotator or ML engineer. When the target clicks the link, their browser renders the malicious HTML, executes the JavaScript payload, and exfiltrates the session cookie to an attacker-controlled server. The attacker uses the stolen session to access annotation projects, download training datasets, or inject poisoned labels—silently corrupting the ML model being trained without triggering any authentication alerts.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
[Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.