Giters

thawkhant / viber-desktop-html-injection

Public writeup for CVE-2025-55996 (Viber Desktop HTML Injection)

Repository from Github https://github.comthawkhant/viber-desktop-html-injectionRepository from Github https://github.comthawkhant/viber-desktop-html-injection

Viber Desktop — HTML Injection (CVE-2025-55996)

CVE: CVE-2025-55996
Discoverer: Thaw Khant (Cycbake)
Product: Viber Desktop
Affected: Viber Desktop 25.6.0 (and possibly earlier)

Summary

Viber Desktop's deep-link handler (viber://forward?text=) can render unsanitized HTML supplied in the text parameter inside the message compose/forward interface. While script execution appears restricted by the client, attacker-controlled external resources (e.g., images) can be loaded, enabling user tracking and UI manipulation that may facilitate phishing and privacy leakage.

Impact

  • Remote image/resource loading from attacker-controlled domains (IP/meta leakage).
  • Message UI manipulation (misleading text/graphics) enabling social engineering.
  • Can be chained with other issues for greater impact.

Reproduction (redacted)

Reproduction steps are intentionally redacted from this public writeup to avoid mass exploitation. A minimal repro was provided to vendor and MITRE at the time of reporting.

Mitigation / Recommended fix

  • Treat the text parameter as plain text; do not render HTML by default.
  • Properly escape/encode user-supplied input before rendering in the client.
  • Block or proxy external resource loading in forwarded messages (strip remote resource requests or force them to pass via a sanitizing proxy).

Notes

This public writeup intentionally omits exploit-level details. If you are a vendor or security contact requiring technical details for remediation, please contact the discoverer at the address above.

About

Public writeup for CVE-2025-55996 (Viber Desktop HTML Injection)