CVE-2025-63317 Overview
CVE-2025-63317 is a Cross-Site Scripting (XSS) vulnerability affecting Doist Todoist version 8896. The vulnerability exists in the /api/v1/uploads endpoint, where uploaded SVG files are not properly sanitized before being served to users. This lack of input validation allows attackers to embed malicious JavaScript code within SVG files, which executes when a victim opens the attachment from a task or comment within the application.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of a victim's browser session, potentially leading to session hijacking, credential theft, or unauthorized actions within the user's Todoist account.
Affected Products
- Doist Todoist version 8896
- Doist Todoist version 8486
Discovery Timeline
- 2025-12-01 - CVE-2025-63317 published to NVD
- 2025-12-04 - Last updated in NVD database
Technical Details for CVE-2025-63317
Vulnerability Analysis
This stored XSS vulnerability carries a CVSS 3.1 score of 5.4 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The attack is network-based with low complexity, requiring no privileges but necessitating user interaction for successful exploitation.
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common weakness category for cross-site scripting flaws. The EPSS (Exploit Prediction Scoring System) indicates a 0.03% probability of exploitation, placing this vulnerability in the 7.9th percentile.
Root Cause
The root cause of this vulnerability lies in the absence of input sanitization for SVG file uploads in the /api/v1/uploads API endpoint. SVG (Scalable Vector Graphics) files are XML-based and can contain embedded JavaScript code through elements such as <script> tags, event handlers like onload, or through other SVG-specific constructs. When Todoist processes and stores these uploaded SVG files without stripping potentially malicious content, the embedded scripts persist in the application's storage and execute when rendered in a user's browser.
Attack Vector
The attack vector is network-based and follows a stored XSS pattern. An attacker crafts a malicious SVG file containing embedded JavaScript payload and uploads it through the /api/v1/uploads endpoint. The malicious file is then attached to a task or comment within the Todoist application. When another user opens or previews this attachment, the browser renders the SVG file and executes the embedded JavaScript code in the context of the victim's authenticated session.
The attack exploits the trust relationship between the user and the application—users expect attachments within their task management tool to be safe. The malicious script can access session cookies, perform actions on behalf of the user, exfiltrate sensitive data, or redirect the user to phishing pages.
Detection Methods for CVE-2025-63317
Indicators of Compromise
- Unusual SVG file uploads containing <script> tags or JavaScript event handlers
- SVG files with suspicious attributes such as onload, onclick, onerror, or onmouseover
- Network requests to external domains originating from SVG file rendering
- Unexpected API calls or session activity following SVG attachment access
Detection Strategies
Security teams should implement content inspection for all file uploads, particularly focusing on SVG files which can contain executable code. Web Application Firewalls (WAF) can be configured to detect and block SVG uploads containing script elements or event handlers. Additionally, monitoring for anomalous behavior following attachment access—such as unexpected API calls or data exfiltration attempts—can help identify successful exploitation.
Browser-based Content Security Policy (CSP) headers can provide defense-in-depth by restricting the execution of inline scripts and limiting the sources from which scripts can be loaded, potentially mitigating the impact of XSS attacks even when malicious content bypasses upload filters.
Monitoring Recommendations
Organizations using Todoist should monitor access logs for the /api/v1/uploads endpoint, paying particular attention to SVG file uploads. Implementing logging for attachment access events and correlating these with subsequent user activity can help identify potential exploitation attempts. Security Information and Event Management (SIEM) solutions can be configured to alert on patterns indicative of XSS exploitation, such as unusual outbound connections or session anomalies following file access.
How to Mitigate CVE-2025-63317
Immediate Actions Required
- Restrict or disable SVG file uploads until a patch is available
- Implement server-side sanitization for all uploaded SVG files
- Configure Content Security Policy headers to restrict inline script execution
- Educate users about the risks of opening attachments from untrusted sources
Patch Information
As of the last update on 2025-12-04, no official vendor patch information has been published in the vulnerability databases. Organizations should monitor Doist's official security communications and update channels for patch availability. The external reference at https://github.com/sefabasnak/Todoistv8896 provides additional technical details about the vulnerability.
Workarounds
Until an official patch is released, organizations can implement the following workarounds to reduce risk:
Server-side SVG Sanitization: Implement a sanitization library such as DOMPurify on the server side to strip potentially malicious content from SVG uploads before storage.
Content-Type Headers: Ensure SVG files are served with the Content-Disposition: attachment header to force downloads rather than inline rendering, preventing automatic script execution.
Content Security Policy: Deploy strict CSP headers that disable inline script execution and restrict script sources, providing defense-in-depth against XSS attacks.
File Type Restrictions: Consider blocking SVG uploads entirely and only allowing raster image formats (PNG, JPG, GIF) until proper sanitization is implemented.
Organizations should also consider implementing additional security controls such as sandboxed iframe rendering for user-uploaded content and regular security audits of file upload functionality.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
