CVE-2025-27155 – github.com/matrix-org/pinecone

Package

Manager: go
Name: github.com/matrix-org/pinecone
Vulnerable Version: >=0 <=0.11.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00037 pctl0.0983

Details

In-memory stored Cross-site scripting (XSS) vulnerability in pineconesim ### Impact The Pinecone Simulator (pineconesim) included in Pinecone up to commit https://github.com/matrix-org/pinecone/commit/ea4c33717fd74ef7d6f49490625a0fa10e3f5bbc is vulnerable to stored cross-site scripting. The payload storage is not permanent and will be wiped when restarting pineconsim. ### Patches Commit https://github.com/matrix-org/pinecone/commit/218b2801995b174085cb1c8fafe2d3aa661f85bd contains the fixes. ### Workarounds N/A ### For more information If you have any questions or comments about this advisory, please email us at [security at matrix.org](mailto:security@matrix.org).

Metadata

Created: 2025-03-04T17:23:15Z
Modified: 2025-03-11T17:16:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-fr62-mg2q-7wqv/GHSA-fr62-mg2q-7wqv.json
CWE IDs: ["CWE-79", "CWE-80"]
Alternative ID: GHSA-fr62-mg2q-7wqv
Finding: F425
Auto approve: 1