CVE-2025-27155: 
vulnerability analysis and mitigation

Pinecone is an experimental overlay routing protocol suite which is the foundation of the current P2P Matrix demos. The Pinecone Simulator (pineconesim) included in Pinecone up to commit ea4c337 was discovered to contain a stored cross-site scripting vulnerability. The vulnerability was disclosed on March 4, 2025, and affects all versions of pineconesim up to commit ea4c337 (GitHub Advisory).

The vulnerability has been assigned CVE-2025-27155 with a CVSS v3.1 base score of 6.1 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) and CWE-79 (Improper Neutralization of Input During Web Page Generation). The issue allows for stored XSS attacks, though the payload storage is temporary and gets wiped when restarting pineconesim (NVD).

The vulnerability allows attackers to execute stored cross-site scripting attacks against users of the Pinecone Simulator. However, the impact is somewhat limited as the payload storage is not permanent and will be wiped when restarting pineconesim. The CVSS scoring indicates low impact on both confidentiality and integrity, with no impact on availability (GitHub Advisory).

A fix has been implemented through the addition of DOMPurify, a library for HTML sanitization, as evidenced in commit 218b2801995b174085cb1c8fafe2d3aa661f85bd. No specific workarounds have been documented for versions prior to the patch (GitHub Commit).