CVE-2025-66908

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-66908
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66908.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-66908
Published
2025-12-19T15:15:56.550Z
Modified
2026-03-14T12:45:07.891984Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an improper file type validation vulnerability in the OCR image upload functionality. The OcrController in turms-ai-serving/src/main/java/im/turms/ai/domain/ocr/controller/OcrController.java uses the @FormData(contentType = MediaTypeConst.IMAGE) annotation to restrict uploads to image files, but this constraint is not properly enforced. The system relies solely on client-provided Content-Type headers and file extensions without validating actual file content using magic bytes (file signatures). An attacker can upload arbitrary file types including executables, scripts, HTML, or web shells by setting the Content-Type header to "image/*" or using an image file extension. This bypass enables potential server-side code execution, stored XSS, or information disclosure depending on how uploaded files are processed and served.

References

Affected packages

Git / github.com/turms-im/turms

Affected ranges

Type
GIT
Repo
https://github.com/turms-im/turms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
8e1df48d4b713f7a8c945cbc4dd76e0ecad5c396
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.10.0-snapshot"
        }
    ]
}

Affected versions

v0.*
v0.10.0-SNAPSHOT

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66908.json"