CVE-2025-34281

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-34281

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-34281.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-34281

Aliases

GHSA-fpq4-r87v-g246

Published

2025-10-17T19:15:37.197Z

Modified

2026-04-12T15:38:13.029826Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting (XSS) vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if the malicious images are embedded in an iframe element, during a widget creation, deployed to any page of the platform (e.g., dashboards), and accessed during normal operations. The vulnerability resides in the ImageController, which fails to restrict the execution of JavaScript code when an image is loaded by the user's browser. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.

References

Affected packages

Git / github.com/thingsboard/thingsboard

Affected ranges

Type

GIT

Repo

https://github.com/thingsboard/thingsboard

Events

Introduced

Fixed

292e6a36a120c2056a3c19b501d8245d9e6f2db0

Fixed

b2ae6f92d12206ea185a2e882945a6b69234bf03

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.2.1"
        }
    ]
}

Affected versions

v1.*

v1.0

v1.2.1

v1.3.1

v2.*

v2.0

v2.0.1

v2.0.2

v2.0.3

v2.1

v4.*

v4.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-34281.json"

vanir_signatures_modified

"2026-04-12T15:38:13Z"

vanir_signatures

[
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "319455077851038798181775528433069595798",
                "319576918366001751666407645682273068493",
                "158368566890109798104464390607078885300",
                "294659944902753063868774645723344839615"
            ]
        },
        "source": "https://github.com/thingsboard/thingsboard/commit/b2ae6f92d12206ea185a2e882945a6b69234bf03",
        "id": "CVE-2025-34281-418f1ba8",
        "signature_type": "Line",
        "target": {
            "file": "application/src/main/java/org/thingsboard/server/controller/ImageController.java"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 1920.0,
            "function_hash": "228610660983057071541656181756835851902"
        },
        "source": "https://github.com/thingsboard/thingsboard/commit/b2ae6f92d12206ea185a2e882945a6b69234bf03",
        "id": "CVE-2025-34281-cb1e123e",
        "signature_type": "Function",
        "target": {
            "function": "downloadIfChanged",
            "file": "application/src/main/java/org/thingsboard/server/controller/ImageController.java"
        }
    }
]