CVE-2025-27155: In-memory stored Cross-site scripting (XSS) vulnerability in pineconesim

March 4, 2025 (updated March 11, 2025)

The Pinecone Simulator (pineconesim) included in Pinecone up to commit https://github.com/matrix-org/pinecone/commit/ea4c33717fd74ef7d6f49490625a0fa10e3f5bbc is vulnerable to stored cross-site scripting. The payload storage is not permanent and will be wiped when restarting pineconsim.

References

github.com/advisories/GHSA-fr62-mg2q-7wqv
github.com/matrix-org/pinecone
github.com/matrix-org/pinecone/commit/218b2801995b174085cb1c8fafe2d3aa661f85bd
github.com/matrix-org/pinecone/security/advisories/GHSA-fr62-mg2q-7wqv
nvd.nist.gov/vuln/detail/CVE-2025-27155
pkg.go.dev/vuln/GO-2025-3500

Code Behaviors & Features

Detect and mitigate CVE-2025-27155 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →