Cross-Site Scripting (XSS) Vulnerability (6725)
Description
Security Notification – July 2025 - CVE-2025-6725
- Progress® KendoReact (11.1.0) or earlier.
What Are the Impacts
In the PdfViewer component, a Cross-Site Scripting (XSS) vulnerability is possible if a specially-crafted document has already been loaded and the user engages with a tool that requires the DOM to be re-rendered.
Issue
CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Solution
We have addressed the issue and the Progress team strongly recommends performing an upgrade to the latest version listed in the table below.
| Current Version | Update to |
|---|---|
>= v5.10.0 && <= v11.1.0 | >= v11.2.0 |
Follow the update instructions for precise instructions. All customers who have a license can access the downloads here Product Downloads | Your Account.
Notes
- If you do not use the PdfViewer in your application, the application is not vulnerable.
- If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to customers with an active support plan.
- We would like to thank ATTRIBUTION for responsibly disclosing this vulnerability.
External References
CVE-2025-6725 (MEDIUM)
CVSS: 5.4
In the PdfViewer component, a Cross-Site Scripting (XSS) vulnerability is possible if a specially-crafted document has already been loaded and the user engages with a tool that requires the DOM to be re-rendered.