CVE-2025-47783: 
Python vulnerability analysis and mitigation

Label Studio, a multi-type data labeling and annotation tool, was found to contain a Cross-Site Scripting (XSS) vulnerability (CVE-2025-47783) in versions prior to 1.18.0. The vulnerability was discovered on May 14, 2025, and affects the application's web interface, specifically when handling requests to the POST /projects/upload-example/ endpoint. The vulnerability has been assigned a CVSS v4.0 score of 7.6 (High) (GitHub Advisory).

The vulnerability is located in the label_studio/projects/views.py file, where insufficient input validation allows attackers to inject malicious scripts into the web page context. The issue specifically occurs in the HttpResponse function where taskdata is passed through json.dumps without proper sanitization. The vulnerability has been assigned a vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N (GitHub Advisory).

When successfully exploited, this vulnerability can lead to data theft, session hijacking, and unauthorized actions performed on behalf of the user. While the vulnerability could potentially expose document.cookie, it's worth noting that Label Studio's session cookies are marked as http-only, which helps mitigate the risk of session theft (GitHub Advisory, Wiz).

The vulnerability has been patched in Label Studio version 1.18.0. Users are advised to upgrade to this version or later to protect against this security issue (GitHub Advisory, Wiz).