Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-62796

CVE-2025-62796: PrivateBin Persistent XSS Vulnerability

CVE-2025-62796 is a persistent XSS flaw in PrivateBin allowing HTML injection through unsanitized attachment filenames. Attackers can inject malicious HTML to redirect users or deface sites. This article covers affected versions, technical details, impact assessment, and mitigation strategies.

Published:

CVE-2025-62796 Overview

CVE-2025-62796 is a persistent HTML injection vulnerability in PrivateBin, an open-source, zero-knowledge pastebin application. The flaw affects versions 1.7.7 through 2.0.1 when attachments are enabled. Attackers can modify the attachment_name value before encryption. After decryption in a victim's browser, arbitrary HTML renders unescaped near the file size hint. The issue is classified as Cross-Site Scripting [CWE-79], though script execution is blocked when the recommended Content Security Policy (CSP) is enforced. Impact centers on redirect attacks using meta refresh, site defacement, and downstream phishing. PrivateBin maintainers fixed the flaw in version 2.0.2.

Critical Impact

Attackers can inject arbitrary HTML into shared pastes, enabling redirect-based phishing and defacement even when confidentiality of paste content remains intact.

Affected Products

  • PrivateBin 1.7.7 through 2.0.1 with attachments enabled
  • Self-hosted PrivateBin instances lacking the recommended CSP
  • PrivateBin deployments sharing a domain with sensitive assets

Discovery Timeline

  • 2025-10-28 - CVE-2025-62796 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-62796

Vulnerability Analysis

PrivateBin encrypts paste content and attachments in the browser before transmission. The client also encrypts metadata, including the attachment filename stored in attachment_name. After decryption, the client-side JavaScript rendered the filename into the DOM without escaping HTML entities. An attacker crafting a paste could set attachment_name to an HTML payload rather than a legitimate filename. Any recipient opening the paste triggers rendering of the injected markup.

The recommended CSP blocks inline and remote script execution, which limits confidentiality impact. However, non-script HTML elements such as <meta http-equiv="refresh">, <iframe>, <a>, and styled <div> blocks still execute their intended browser behavior. This enables silent redirects to attacker-controlled phishing pages and visual defacement of the paste view.

Root Cause

The root cause is missing output sanitization of the attachment_name field in js/privatebin.js. The application trusted client-supplied filename metadata and inserted it into the page using an unescaped DOM operation. The value crosses the encryption boundary intact, so server-side filtering cannot mitigate the issue.

Attack Vector

An attacker creates a paste with an attachment and replaces the filename field in the client-side encryption payload with malicious HTML. The attacker shares the paste URL and decryption key with a target. When the victim opens the link, the browser decrypts the payload and renders the injected HTML unescaped, executing redirect or defacement logic in the victim's session context.

php
// Patch excerpt: lib/Configuration.php Subresource Integrity update
// Source: https://github.com/PrivateBin/PrivateBin/commit/c4f8482b3072be7ae012cace1b3f5658dcc3b42e
'js/legacy.js'           => 'sha512-rGXYUpIqbFoHAgBXZ0UlJBdNAIMOC9EQ67MG0X46D5uRB8LvwzgKirbSQRGdYfk8I2jsUcm+tvHXYboUnC6DUg==',
'js/prettify.js'         => 'sha512-puO0Ogy++IoA2Pb9IjSxV1n4+kQkKXYAEUtVzfZpQepyDPyXk8hokiYDS7ybMogYlyyEIwMLpZqVhCkARQWLMg==',
-'js/privatebin.js'       => 'sha512-2F02E/UQoQyCNk0FvwaOLD9MvDhtuYqTtGKdqwsbDjY4O0jMZjn/EtiP2wvS0uxYojkxeUitF0HWb+RDFUwQXg==',
+'js/privatebin.js'       => 'sha512-7b9PUe3bhiZAjMlNMuRMLkiiTx4CpIlh/L/XAfj+zmQ0DUFXIVkdliOLEZixXliYc3N97OOZEJPpRA7VYMLyjw==',
'js/purify-3.2.7.js'     => 'sha512-2H9wzIiPQCOsh7T3hK/WuqWIwSQ2oYq91doyrp1LcnXuPyxzehopypz16wiWqxmMjx2cVIqAWCoRp1gNZAsFEQ==',

The patch updates the Subresource Integrity hash for js/privatebin.js, reflecting the DOM sanitization fix applied to attachment filename rendering. See the GitHub Security Advisory GHSA-867c-p784-5q6g for full context.

Detection Methods for CVE-2025-62796

Indicators of Compromise

  • Pastes containing attachment filenames with HTML tags such as <meta, <iframe, <a href, or <style after decryption
  • Browser redirects to unexpected external domains immediately after opening a PrivateBin paste
  • CSP violation reports referencing inline HTML rendering on PrivateBin paste view pages

Detection Strategies

  • Review PrivateBin server logs for paste creation requests with abnormally large or structured attachment_name fields, though these arrive encrypted in the payload
  • Deploy CSP reporting endpoints and alert on report-uri submissions from PrivateBin origins
  • Monitor outbound web proxy logs for redirects originating from PrivateBin domains to newly registered or unrated destinations

Monitoring Recommendations

  • Track the deployed PrivateBin version across self-hosted instances and flag any running 1.7.7 through 2.0.1
  • Alert on browser telemetry showing meta refresh navigation events sourced from PrivateBin paste pages
  • Correlate phishing report submissions with recent PrivateBin link deliveries in email gateways

How to Mitigate CVE-2025-62796

Immediate Actions Required

  • Upgrade all PrivateBin instances to version 2.0.2 or later
  • Verify the recommended Content Security Policy is present and enforced in HTTP response headers
  • Audit hosting configuration to ensure PrivateBin runs on a domain isolated from other applications

Patch Information

The fix landed in PrivateBin 2.0.2 via GitHub Pull Request #1550 and commit c4f8482. The patch sanitizes the attachment_name value before DOM insertion and updates the Subresource Integrity hash for js/privatebin.js. Administrators should redeploy static assets after upgrading to ensure browsers fetch the corrected bundle.

Workarounds

  • Disable attachments in the PrivateBin configuration file until the upgrade is complete
  • Enforce the recommended strict CSP that blocks inline scripts and restricts framing
  • Host PrivateBin on a dedicated domain to contain redirect and defacement impact away from primary corporate assets
bash
# conf.php: disable attachments as a temporary workaround
[main]
fileupload = false

# Recommended CSP response header for PrivateBin
Content-Security-Policy: default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.