CVE-2024-45308
CVE-2024-45308 is a medium-severity vulnerability in Hedgedoc with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1289.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- EPSS exploit prediction: 1% (42nd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-41431
- Weakness: CWE-1289
- Affected product: Hedgedoc
- Published:
- Last modified:
Description
HedgeDoc is an open source, real-time, collaborative, markdown notes application. When using HedgeDoc 1 with MySQL or MariaDB, it is possible to create notes with an alias matching the ID of existing notes. The affected existing note can then not be accessed anymore and is effectively hidden by the new one. When the freeURL feature is enabled (by setting the `allowFreeURL` config option or the `CMD_ALLOW_FREEURL` environment variable to `true`), any user with the appropriate permissions can create a note with an arbitrary alias, e.g. by accessing it in the browser. When MySQL or MariaDB are used, it is possible to create a new note with an alias that matches the lower-cased ID of a different note. HedgeDoc then always presents the new note to users, as these databases perform case-insensitive matching and the lower-cased alias is found first. This issue only affects HedgeDoc instances that use MySQL or MariaDB. Depending on the permission settings of the HedgeDoc instance, the issue can be exploited only by logged-in users or by all (including non-logged-in) users. The exploit requires knowledge of the ID of the target note. Attackers could use this issue to present a manipulated copy of the original note to the user, e.g. by replacing the links with malicious ones. Attackers can also use this issue to prevent access to the original note, causing a denial of service. No data is lost, as the original content of the affected notes is still present in the database. Users are advised to upgrade to version 1.10.0 which addresses this issue. Users unable to upgrade may disable freeURL mode which prevents the exploitation of this issue. The impact can also be limited by restricting freeURL note creation to trusted, logged-in users by enabling `requireFreeURLAuthentication`/`CMD_REQUIRE_FREEURL_AUTHENTICATION`.
Frequently asked questions
- What is CVE-2024-45308?
- HedgeDoc is an open source, real-time, collaborative, markdown notes application. When using HedgeDoc 1 with MySQL or MariaDB, it is possible to create notes with an alias matching the ID of existing notes. The affected existing note can then not be accessed anymore and is effectively hidden by the new one. When the freeURL feature is enabled (by setting the `allowFreeURL` config option or the `CMD_ALLOW_FREEURL` environment variable to `true`), any user with the appropriate permissions can create a note with an arbitrary alias, e.g. by accessing it in the browser. When MySQL or MariaDB are used, it is possible to create a new note with an alias that matches the lower-cased ID of a different note. HedgeDoc then always presents the new note to users, as these databases perform case-insensitive matching and the lower-cased alias is found first. This issue only affects HedgeDoc instances that use MySQL or MariaDB. Depending on the permission settings of the HedgeDoc instance, the issue can be exploited only by logged-in users or by all (including non-logged-in) users. The exploit requires knowledge of the ID of the target note. Attackers could use this issue to present a manipulated copy of the original note to the user, e.g. by replacing the links with malicious ones. Attackers can also use this issue to prevent access to the original note, causing a denial of service. No data is lost, as the original content of the affected notes is still present in the database. Users are advised to upgrade to version 1.10.0 which addresses this issue. Users unable to upgrade may disable freeURL mode which prevents the exploitation of this issue. The impact can also be limited by restricting freeURL note creation to trusted, logged-in users by enabling `requireFreeURLAuthentication`/`CMD_REQUIRE_FREEURL_AUTHENTICATION`.
- How severe is CVE-2024-45308?
- CVE-2024-45308 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability low.
- Is CVE-2024-45308 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (42nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-45308?
- CVE-2024-45308 affects Hedgedoc. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-45308?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-45308 have an EU (EUVD) identifier?
- Yes. CVE-2024-45308 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-41431.
- When was CVE-2024-45308 published?
- CVE-2024-45308 was published on 2024-09-02 and last updated on 2026-06-17.
References
- https://github.com/hedgedoc/hedgedoc/commit/380587b7fd65bc1eb71eef51a3aab324f9877650
- https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p
Affected products (1)
- cpe:2.3:a:hedgedoc:hedgedoc:*:*:*:*:*:*:*:*
More vulnerabilities in Hedgedoc
- CVE-2021-29475 — Critical (CVSS 10.0): HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. An attacker is able to receive…
- CVE-2020-26287 — High (CVSS 8.7): HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an attacker can…
- CVE-2021-39175 — High (CVSS 8.1): HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject…
- CVE-2021-29503 — High (CVSS 8.1): HedgeDoc is a platform to write and share markdown. HedgeDoc before version 1.8.2 is vulnerable to a cross-site…
- CVE-2020-26286 — High (CVSS 7.5): HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an…
- CVE-2021-21259 — High (CVSS 7.4): HedgeDoc is open source software which lets you create real-time collaborative markdown notes. In HedgeDoc before…
Other CWE-1289 vulnerabilities
- CVE-2026-39821 — Critical (CVSS 9.6): The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For…
- CVE-2026-50090 — Critical (CVSS 9.3): The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due…
- CVE-2024-42219 — High (CVSS 7.8): 1Password 8 before 8.10.36 for macOS allows local attackers to exfiltrate vault items because XPC inter-process…
- CVE-2026-49942 — High (CVSS 7.3): Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could…
- CVE-2024-45179 — High (CVSS 7.2): An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to insufficient input…
- CVE-2026-39972 — High (CVSS 7.1): Mercure is a protocol for pushing data updates to web browsers and other HTTP clients in a battery-efficient way. Prior…