CVE-2025-3261

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-3261

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-3261.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-3261

Aliases

GHSA-5p82-2q3r-wj3m

Published

2025-11-27T18:15:46.403Z

Modified

2025-12-05T12:32:23.235517Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting (XSS) vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if the malicious images are embedded in an iframe element, during a widget creation, deployed to any page of the platform (e.g., dashboards), and accessed during normal operations. The vulnerability resides in the ImageController, which fails to restrict the execution of JavaScript code when an image is loaded by the user's browser. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.

References

Affected packages

Git / github.com/thingsboard/thingsboard

Affected ranges

Type: GIT
Repo: https://github.com/thingsboard/thingsboard
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b2ae6f92d12206ea185a2e882945a6b69234bf03

Affected versions

v1.*

v1.0

v1.1

v1.2

v1.2.1

v1.2.2

v1.2.3

v1.3

v1.3.1

v2.*

v2.0

v2.0.1

v2.0.2

v2.0.3

v2.1

v2.1.1

v2.1.2

v2.1.3

v2.2

v2.3

v2.4

v2.4.1

v2.4.2

v2.4.2.1

v2.4.3

v2.5

v3.*

v3.4

Database specific

vanir_signatures

[
    {
        "target": {
            "file": "application/src/main/java/org/thingsboard/server/controller/ImageController.java"
        },
        "digest": {
            "line_hashes": [
                "319455077851038798181775528433069595798",
                "319576918366001751666407645682273068493",
                "158368566890109798104464390607078885300",
                "294659944902753063868774645723344839615"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://github.com/thingsboard/thingsboard/commit/b2ae6f92d12206ea185a2e882945a6b69234bf03",
        "deprecated": false,
        "id": "CVE-2025-3261-418f1ba8",
        "signature_type": "Line"
    },
    {
        "target": {
            "function": "downloadIfChanged",
            "file": "application/src/main/java/org/thingsboard/server/controller/ImageController.java"
        },
        "digest": {
            "length": 1920.0,
            "function_hash": "228610660983057071541656181756835851902"
        },
        "signature_version": "v1",
        "source": "https://github.com/thingsboard/thingsboard/commit/b2ae6f92d12206ea185a2e882945a6b69234bf03",
        "deprecated": false,
        "id": "CVE-2025-3261-cb1e123e",
        "signature_type": "Function"
    }
]