CVE-2025-63419 Overview
CVE-2025-63419 is a reflected Cross-Site Scripting (XSS) vulnerability in CrushFTP version 11.3.6_48. The Web-Based Server exposes a file-sharing feature that reflects the uploaded filename into an email body field without sanitization. An attacker who controls the filename can inject arbitrary HTML or JavaScript into the generated share message. When a victim renders the resulting content, the injected payload executes in the victim's browser context. The flaw is classified under [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Attackers can inject arbitrary HTML and JavaScript through crafted filenames, enabling session theft, phishing, and client-side code execution against CrushFTP users.
Affected Products
- CrushFTP 11.3.6_48
- CrushFTP 11.x branch (Web-Based Server file share feature)
- CrushFTP deployments exposing the sharing UI to untrusted users
Discovery Timeline
- 2025-11-12 - CVE-2025-63419 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-63419
Vulnerability Analysis
CrushFTP's Web-Based Server includes a file-sharing workflow that generates an email body referencing the shared file. The application reflects the raw filename into that email body without HTML encoding or input sanitization. Because the filename is user-controlled, an attacker can supply a file whose name contains HTML tags or script fragments. The resulting rendered content executes attacker-supplied markup in the browser of anyone who views the share notification. Exploitation requires user interaction, since a victim must open or view the crafted share, and the vulnerability crosses a security scope by acting on the recipient's session rather than the attacker's.
Root Cause
The root cause is missing output encoding on the filename field before it is embedded into the HTML email body. The share feature treats the filename as safe display text rather than untrusted input. Standard defenses such as HTML entity encoding, allow-list validation of filename characters, or Content Security Policy enforcement are not applied to this path.
Attack Vector
An attacker uploads or shares a file whose filename contains an HTML or JavaScript payload, for example a <script> tag or an event-handler attribute on an image tag. The attacker initiates the share workflow, and CrushFTP embeds the malicious filename directly into the outgoing email body or share preview. When a recipient opens the share message in a rendering context, the injected script executes. This allows session cookie theft, credential harvesting via injected forms, or drive-by requests against the CrushFTP interface.
A public proof-of-concept is available in the GitHub Gist PoC Repository and the CVE-2025-63419 Code repository.
Detection Methods for CVE-2025-63419
Indicators of Compromise
- Files uploaded or shared with names containing HTML tags such as <script>, <img, onerror=, or javascript: URIs.
- Outbound share notification emails containing unencoded HTML markup inside the filename portion of the body.
- Unusual browser-originated requests from CrushFTP admin or user sessions following the opening of a share link.
Detection Strategies
- Inspect CrushFTP upload and share logs for filenames containing angle brackets, quotes, or protocol handlers.
- Deploy a Web Application Firewall (WAF) rule that flags filenames failing an allow-list of safe characters ([A-Za-z0-9._-]).
- Monitor egress mail traffic from CrushFTP hosts for message bodies containing unescaped < or > characters adjacent to filename tokens.
Monitoring Recommendations
- Alert on CrushFTP process spawning unusual child processes or outbound network calls following a share event.
- Correlate share creation events with subsequent browser sessions from recipient IP ranges to identify payload execution.
- Track version metadata across CrushFTP deployments to ensure patched builds are running.
How to Mitigate CVE-2025-63419
Immediate Actions Required
- Upgrade CrushFTP to the latest fixed release beyond 11.3.6_48 as published by the vendor.
- Restrict access to the Web-Based Server sharing feature to authenticated, trusted users only.
- Enforce a strict filename allow-list on upload endpoints, rejecting filenames containing HTML metacharacters.
Patch Information
CrushFTP has not published a vendor advisory URL in the NVD record for CVE-2025-63419. Administrators should consult the CrushFTP release notes and update to the most recent 11.x build that addresses the XSS in the share email body. Verify the fix by testing a filename containing <script>alert(1)</script> in a non-production instance and confirming the output is HTML-encoded.
Workarounds
- Disable the file-sharing feature in the Web-Based Server until an upgrade is applied.
- Deploy a reverse proxy or WAF rule that strips or encodes HTML metacharacters from filename parameters.
- Configure a strict Content Security Policy that blocks inline script execution in the CrushFTP web UI.
- Instruct users to preview share notifications as plain text rather than rendered HTML.
# Example WAF rule concept: reject uploads whose filename contains HTML metacharacters
# ModSecurity-style pseudo-rule
SecRule ARGS_NAMES|ARGS:filename "@rx [<>\"']" \
"id:1063419,phase:2,deny,status:400,\
msg:'CVE-2025-63419: HTML metacharacter in CrushFTP filename'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

