CVE-2025-53528 — Cadwyn vulnerable to XSS on the docs page

Description

Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3.

How to fix CVE-2025-53528

To remediate CVE-2025-53528, upgrade the affected package to a fixed version below.

—upgrade to 5.4.3 or later
—upgrade to b424ecd57cd8dabbc8fe39b8f8ccafea629c7728 or later

Is CVE-2025-53528 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 5.4.3
from 0, < b424ecd57cd8dabbc8fe39b8f8ccafea629c7728 | from 0, < 5.4.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-53528
PATCHgithub.com/zmievsa/cadwyn
WEBgithub.com/pypa/advisory-database/tree/main/vulns/cadwyn/PYSEC-2025-71.yaml
WEBgithub.com/zmievsa/cadwyn/blob/5.4.3/CHANGELOG.md#543