CVE-2025-70402 - DOM XSS via Remote UI Configuration (uiConfig)

Apryse WebViewer UI (React SPA inside an iframe)

v11.8 and likely earlier versions.

The WebViewer UI fetches a remote JSON configuration file from an attacker-controlled URL passed via a query parameter, leading to script execution when a config field reaches an unsafe DOM sink.

The uiConfig parameter is read from the URL and fetched without validation. A specific field in the resulting JSON reaches the Icon.js component, which uses dangerouslySetInnerHTML. While DOMParser usually strips SVG scripts, the researchers bypassed this using a <foreignObject> tag, which switches the browser from an SVG to an HTML parsing context, allowing onerror handlers to execute.