GHSA-x369-mcw8-8rvj

Source

https://github.com/advisories/GHSA-x369-mcw8-8rvj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-x369-mcw8-8rvj/GHSA-x369-mcw8-8rvj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x369-mcw8-8rvj

Aliases

CVE-2025-68467

Published

2026-03-04T18:18:23Z

Modified

2026-03-05T15:42:32.591012Z

Severity

3.4 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N CVSS Calculator

Summary

Dark Reader gives users the ability to request style sheets from local web servers

Details

Description

Dark Reader versions prior to 4.9.117 included a behavior where a website could request a style sheet from a locally running web server, for example http://localhost:8080/style.css, If an address was available and returned a text/css content type.

Patches

The problem was fixed in version 4.9.117, released on December 3, 2025. Most users received the update automatically. Users running manual builds must upgrade to version 4.9.117 or later.

The installed extension version number can be verified in Dark Reader's menu (More > All settings > About), browser settings, chrome://extensions or about:addons pages.

Users are encouraged not to disable automatic extension updates and use the latest browser version, as browser releases typically include multiple security fixes of varying severity.

NPM package

The issue does not affect developers using the darkreader NPM package for website integration. Developers using the setFetchMethod() API must ensure the cross-origin requests are restricted to the intended scope.

Custom forks

Developers using custom forks of earlier versions of Dark Reader to build other extensions, or integrating it into their apps or browsers, should review their implementation to ensure cross-origin requests are handled securely.

Acknowledgements

Security research performed by Brian Carpenter - Deep Fork Cyber.

Database specific

{
    "github_reviewed_at": "2026-03-04T18:18:23Z",
    "nvd_published_at": "2026-03-04T22:16:11Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-346",
        "CWE-668"
    ],
    "severity": "LOW",
    "github_reviewed": true
}

References

Affected packages

npm / darkreader

Package

Name: darkreader; View open source insights on deps.dev
Purl: pkg:npm/darkreader

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.9.117

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-x369-mcw8-8rvj/GHSA-x369-mcw8-8rvj.json"