CVE-2025-8206: 
NixOS vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in Comodo Dragon browser version 134.0.6998.179 and earlier versions, specifically affecting the IP DNS Leakage Detector component. The vulnerability was disclosed on July 25, 2025, and was assigned CVE-2025-8206. The issue affects the browser's built-in extension that handles IP and DNS leak detection functionality (NVD, VulDB).

The vulnerability stems from improper neutralization of user-controllable input in the IP DNS Leakage Detector component. The component uses HTTP connections and inserts response values using the innerHTML property without proper validation or sanitization. The vulnerability is classified as CWE-79 (Cross-site Scripting) and CWE-94 (Code Injection). The CVSS v3.1 base score is 4.7 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows attackers to execute JavaScript code or inject phishing forms through malicious HTTP responses when combined with DNS spoofing attacks. This can lead to integrity compromises and potential user data exposure. The attack can be initiated remotely and requires user interaction for successful exploitation (FMISEC).

No official patches or mitigations have been released at the time of disclosure. The vendor was contacted about the vulnerability but did not respond. It is recommended to consider using alternative browser solutions until a fix is available (VulDB).