CVE-2025-67842

MEDIUM6.4

The Static Asset API in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via the subdomain parameter because any tenant's assets can be served on any other tenant's documentation site

Published Dec 19, 2025

Modified 2 months ago

Details

The Static Asset API in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via the subdomain parameter because any tenant's assets can be served on any other tenant's documentation site.

References

WEB

https://gist.github.com/hackermondev/5e2cdc32849405fff6b46957747a2d28

WEB

https://heartbreak.ing

DETECTION

https://kibty.town/blog/mintlify/

WEB

https://news.ycombinator.com/item?id=46317098

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2025-67842

WEB