The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-41085

CVE-2025-41085: Apidog Stored XSS Vulnerability

CVE-2025-41085 is a stored XSS vulnerability in Apidog version 2.7.15 affecting SVG image uploads. Attackers can embed malicious scripts in SVG files that execute when users access the resource. This article covers technical details, affected versions, impact, and mitigation strategies.

Published: February 6, 2026

CVE-2025-41085 Overview

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Apidog version 2.7.15. The vulnerability exists due to improper sanitization of SVG image uploads. Attackers can embed malicious scripts within SVG files by sending a POST request to the /api/v1/user-avatar endpoint. These malicious scripts are then stored on the server and executed in the browser context of any user who accesses the compromised resource, potentially leading to session hijacking, credential theft, or further malicious actions.

Critical Impact

Stored XSS vulnerabilities allow persistent attacks where malicious scripts execute automatically for every user viewing the compromised content, enabling widespread credential theft, session hijacking, and propagation of further attacks across the platform's user base.

Affected Products

  • Apidog version 2.7.15
  • Apidog Web Platform (SVG upload functionality)
  • Systems utilizing the /api/v1/user-avatar endpoint for avatar uploads

Discovery Timeline

  • 2026-02-04 - CVE-2025-41085 published to NVD
  • 2026-02-04 - Last updated in NVD database

Technical Details for CVE-2025-41085

Vulnerability Analysis

This stored XSS vulnerability arises from insufficient input validation and sanitization of SVG file uploads within the Apidog web platform. SVG (Scalable Vector Graphics) files are XML-based and can contain embedded JavaScript code within elements such as <script> tags or event handlers like onload, onclick, and similar attributes.

When a user uploads an SVG file as their avatar through the /api/v1/user-avatar endpoint, the application fails to properly sanitize or strip potentially malicious content from the SVG markup. The malicious file is then stored on the server and served to other users who view the attacker's profile or any page displaying the avatar.

The stored nature of this vulnerability makes it particularly dangerous, as the malicious payload persists on the server and executes automatically whenever the compromised resource is accessed. This can affect multiple users without any additional interaction from the attacker after the initial upload.

Root Cause

The root cause of this vulnerability is the lack of proper input validation and content sanitization for SVG file uploads. The application accepts SVG files without stripping dangerous elements such as embedded scripts, event handlers, or external resource references. SVG files, being XML-based, can contain executable JavaScript that browsers will execute when rendering the image.

The vulnerable endpoint /api/v1/user-avatar does not implement content security measures such as:

  • Parsing and sanitizing SVG content to remove script elements
  • Validating SVG structure against a safe whitelist of allowed elements and attributes
  • Converting SVG uploads to safer raster image formats
  • Implementing Content-Security-Policy headers to restrict script execution

Attack Vector

The attack is network-based and requires low privileges (an authenticated user account) to execute. The attacker must craft a malicious SVG file containing embedded JavaScript payload and upload it through the avatar functionality. Once stored, the payload executes in the browser context of any victim who views the attacker's avatar, inheriting the victim's session and permissions.

The attack flow involves uploading a crafted SVG containing malicious JavaScript via a POST request to the /api/v1/user-avatar endpoint. The server stores the unsanitized SVG, and when other users browse to a page displaying the attacker's avatar, the SVG is rendered and the embedded script executes in the victim's browser session.

Detection Methods for CVE-2025-41085

Indicators of Compromise

  • Presence of SVG files containing <script> tags or JavaScript event handlers in avatar storage directories
  • Unusual POST requests to /api/v1/user-avatar with SVG payloads containing encoded or obfuscated JavaScript
  • User reports of unexpected browser behavior or session anomalies when viewing specific user profiles
  • Web application firewall logs showing blocked XSS patterns in SVG file uploads

Detection Strategies

  • Implement web application firewall (WAF) rules to inspect SVG uploads for embedded scripts and event handlers
  • Monitor HTTP traffic for POST requests to /api/v1/user-avatar containing suspicious SVG content patterns
  • Scan stored avatar files for XML elements associated with script execution such as <script>, onload, onerror, and similar attributes
  • Deploy client-side JavaScript monitoring to detect unexpected script execution contexts

Monitoring Recommendations

  • Enable detailed logging for all file upload endpoints, particularly /api/v1/user-avatar
  • Configure alerting for SVG files containing script-related XML elements or event handlers
  • Monitor for unusual patterns of user session activity that could indicate session hijacking
  • Review Content-Security-Policy violation reports for script execution anomalies

How to Mitigate CVE-2025-41085

Immediate Actions Required

  • Restrict or disable SVG uploads through the /api/v1/user-avatar endpoint until a patch is available
  • Scan existing avatar files for malicious SVG content and remove or replace compromised files
  • Implement Content-Security-Policy headers with strict script-src directives to limit script execution
  • Consider converting all uploaded SVG files to PNG or JPEG format server-side to eliminate script execution risk

Patch Information

Monitor the INCIBE Security Notice for official patch announcements and updates from Apidog. Upgrade to a patched version as soon as one becomes available. Organizations should test any patches in a staging environment before production deployment.

Workarounds

  • Disable SVG file uploads entirely and restrict avatar uploads to raster image formats only (PNG, JPEG, GIF)
  • Implement server-side SVG sanitization using libraries designed to strip dangerous elements and attributes
  • Add strict Content-Security-Policy headers that prevent inline script execution: Content-Security-Policy: default-src 'self'; script-src 'self'; img-src 'self' data:
  • Use a sandboxed iframe with sandbox attribute when displaying user-uploaded SVG content to prevent script execution
bash
# Example Content-Security-Policy header configuration for Apache
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; object-src 'none';"

# Example for Nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; object-src 'none';";

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeXSS
  • Vendor/TechApidog
  • SeverityMEDIUM
  • CVSS Score5.1
  • EPSS Probability0.05%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-79
  • Technical References
  • INCIBE Security Notice
  • Latest CVEs
  • CVE-2025-9185: Mozilla Firefox RCE Vulnerability
  • CVE-2025-9184: Mozilla Firefox RCE Vulnerability
  • CVE-2025-9180: Mozilla Firefox Auth Bypass Vulnerability
  • CVE-2025-8030: Mozilla Firefox RCE Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English