Dark Reader gives users the ability to request style sheets from local web servers
- Severity:
- Low
Description
Dark Reader versions prior to 4.9.117 included a behavior where a website could request a style sheet from a locally running web server, for example http://localhost:8080/style.css, If an address was available and returned a text/css content type.
Recommendation
Update the darkreader package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.9.117
- Patched version(s): 4.9.117
References
- GHSA-x369-mcw8-8rvj
- CVE-2025-68467
- CWE-200
- CWE-346
- CWE-668
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- webpack-dev-server users' source code may be stolen when they access a malicious web site - CVE-2025-30359
- webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browse - CVE-2025-30360
- Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module - CVE-2025-62505
- HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-59155
- Tags:
- npm
- darkreader
Anything's wrong? Let us know Last updated on March 05, 2026