Merge pdf-cve-3077 into production (#3078)

github-actions[bot] · dimodi · web-flow · commit 74ebb97ff5ca · 2025-07-02T13:36:41.000+03:00
* kb(PdfViewer): Add CVE KB * Update knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725.md --------- Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com>
diff --git a/knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725.md b/knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725.md
@@ -0,0 +1,54 @@
+---
+title: PDF Viewer Cross-site Scripting (XSS) Vulnerability (2025-6725)
+description: How to mitigate CVE-2025-6725, a Cross-site Scripting (XSS) vulnerability in the Telerik PDF Viewer for Blazor.
+type: troubleshooting
+page_title: PDF Viewer Cross-site Scripting (XSS) Vulnerability (2025-6725)
+slug: pdfviewer-kb-xss-vulnerability-cve-2025-6725
+tags: telerik, blazor, pdfviewer, vulnerability, xss
+ticketid: 1689311
+res_type: kb
+---
+
+## Environment
+
+<table>
+    <tbody>
+        <tr>
+            <td>Product</td>
+            <td>PDF Viewer for Blazor</td>
+        </tr>
+        <tr>
+            <td>Version</td>
+            <td>From 3.6.0 to 9.0.0</td>
+        </tr>
+    </tbody>
+</table>
+
+## Description
+
+This is a security notification that explains how to mitigate a cross-site scripting (XSS) vulnerability [CVE-2025-6725](https://www.cve.org/CVERecord?id=CVE-2025-6725) in the Telerik PDF Viewer component for Blazor.
+
+* The weakness ID is [CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html).
+* The vulnerability CVSS score is `5.4` (medium).
+
+The XSS vulnerability can be exploited if a specially-crafted document is already loaded and the user engages with a tool that requires the DOM in the PDF Viewer to re-render.
+
+## Solution
+
+If your Blazor app uses the Telerik PDF Viewer, then [upgrading Telerik UI for Blazor](slug:upgrade-tutorial) to version **9.1.0** or later is strongly recommended.
+
+All customers with a Telerik license can:
+
+* Access the [Downloads page in their Telerik account](https://www.telerik.com/account/downloads/product-download).
+* Reference [NuGet packages on the Telerik NuGet server](slug:installation/nuget).
+
+## Notes
+
+* If you do not use the PDF Viewer in your application, the application is not vulnerable.
+* If you have any questions or concerns related to this issue, [open a new technical support ticket from the Telerik Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical support is available to customers with an active license and support plan.
+* We would like to thank Harmen van Keimpema for responsibly disclosing this vulnerability.
+
+## See Also
+
+* [CVE-2025-6725](https://www.cve.org/CVERecord?id=CVE-2025-6725)
+* [PDF Viewer Overview](slug:pdfviewer-overview)
