Mintlify Security Event - November 2025

The initial vulnerability: Cross-site static assets

On November 12, 2025, we were notified that our static asset hosting endpoint (/_mintlify/static/) didn't properly scope assets to individual customers. This meant a static asset uploaded by one customer could be accessed from another customer's domain.

The impact of this vulnerability was cross-domain XSS, where an actor could upload malicious assets to the Mintlify platform, and then load them on a customer's domain. For assets like SVGs with embedded JavaScript, this allowed an actor to create XSS payloads that would be executed in the context of the customer's domain.

Within 45 minutes of being notified, we deployed a fix that restricted static asset access to only the customer who uploaded them. The notification came from one of our customers, who had been contacted by security researchers who had discovered the vulnerability.

After fixing the issue, customers we believed to be most at risk were notified the same day. We also initiated contact with the security researchers who originally discovered the vulnerability to coordinate a response and provide them with the necessary information to help them test the fix.

Who was potentially affected?

Customers most at risk:

• Those hosting documentation on the same domain as a web application with authentication cookies or credentials in localStorage (e.g., yourdomain.com/docs)
• Those storing authentication credentials in localStorage, or using cookies with a wildcard domain scope

Customers not at risk:

• Those using separate domains for documentation (e.g., docs.yourdomain.com separate from app.yourdomain.com) with scoped cookies
• Those using Mintlify's default *.mintlify.app subdomains

Timeline of the vulnerability

November 12, 2025

• 12:07 PM PT — Mintlify is notified of vulnerability, and immediate response begins
• 12:21 PM PT — An official incident is declared, and additional engineering resources are mobilized
• 12:27 PM PT — Known malicious test assets removed
• 12:52 PM PT — Primary fix deployed, all caches purged
• 5:35 PM PT - Preliminary audit of all hosted assets completed, list of customers to notify identified
• 7:52 PM PT — Potentially affected customers notified
• 10:25 PM PT - Customers notified of additional information regarding the vulnerability

November 13, 2025

• Security researchers engaged under MNDA
• Comprehensive audit of all hosted assets completed
• Additional vulnerable paths identified and patched

November 14, 2025

• Path traversal bypass reported by researchers
• Path traversal fix deployed within 90 minutes
• Asset audit repeated

November 15, 2025

• Researchers confirmed all known vulnerabilities patched

Additional vulnerabilities discovered

What followed was a week of intensive collaboration with the researchers, during which several additional issues were identified and fixed:

• Path traversal bypass (November 14): Researchers found that URL-encoded path traversal could bypass the initial fix. Fixed same day, and caches purged
• Cross-domain data endpoints: The /_mintlify/markdown/, RSS, favicon, and MCP endpoints allowed cross-subdomain data access. While these didn't enable XSS (they return raw data, not executable content), they are fixed
• Server-side rendering code execution: The same researchers found that server-side rendering code execution was possible by injecting malicious code into MDX that was server-side rendered. Fixed same day, affected internal credentials (non that allowed persistence) rotated, and all hosted MDX audited for malicious code injection
• Downgrade attack: The same researchers found that a downgrade attack was possible by accessing older versions of Mintlify sites. Fixed same day, all internal credentials rotated, and customer configurations audited for sensitive information exposure
• Dashboard IDOR: The same researchers found that an IDOR vulnerability in the Mintlify dashboard allowed an actor to view some details of other customers' documentation update history. Fixed same day, and all customer configurations audited for sensitive information exposure

Why so many vulnerabilities?

Frequently, one vulnerability uncovers another vulnerability, as focus intensifies on the weakest parts of a system.

In this case, two sets of two vulnerabilities were tightly linked. Cross-domain asset access and path traversal, and server-side rendering code execution and downgrade attack.

What we improved

This collaboration resulted in security improvements that go well beyond fixing the specific vulnerabilities:

Immediate fixes:

• Static assets now scoped to individual customers
• Path traversal protections hardened
• Cross-domain data endpoints secured
• Dashboard endpoints audited for sensitive information exposure and IDOR vulnerabilities
• Server-side rendering code execution protections hardened
• Exhaustive audits of all hosted assets and customer configurations

Ongoing improvements:

• Automated smoke tests for cross-domain asset access
• Stricter validation of uploaded assets
• Rapid asset audit process(es) across all customers

Process improvements:

• Faster incident response protocols
• Direct communication channels with security researchers & and an enhanced bug bounty program
• More comprehensive security review for new features

Working with researchers

The researchers who worked with us were professional, responsive, and thorough. They helped us verify fixes, identify edge cases we'd missed, and think through the broader implications of our changes.

We paid bounties totaling approximately $10,000 USD to the researchers for their findings. Thank you to xyzeva, MDL, and dan for their help.

We encourage security researchers to continue reporting vulnerabilities through our responsible disclosure program.

For affected customers

If you were contacted by our team in November about this vulnerability, no further action is required. The vulnerabilities have been patched and we found no evidence of exploitation after exhaustive audits of our internal systems and configurations.

If you have questions about whether you were affected or want more details about our remediation, contact us at security@mintlify.com.

Looking forward

We're grateful to the researchers who took the time to report these issues responsibly and work with us on fixes. The result is a more secure platform for all of our customers, and we look forward to maintaining an ongoing relationship with them.

We're also grateful to the customers who helped us identify the vulnerabilities, and the trust they placed in us to fix them responsibly.