CVE-2025-63743 Overview
A stored Cross-Site Scripting (XSS) vulnerability has been identified in the Snipe-IT web-based asset management system affecting versions v8.3.0 through v8.3.1. This vulnerability allows authenticated attackers with minimal privileges (only requiring the ability to log in) to inject arbitrary JavaScript code through the "Name" and "Surname" profile fields. The injected malicious scripts execute when any user with sufficient permissions views the "Activity Report" or the modified profile directly.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in the context of other users' sessions, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of privileged users viewing activity reports.
Affected Products
- Snipe-IT v8.3.0
- Snipe-IT v8.3.1
Discovery Timeline
- 2026-04-13 - CVE-2025-63743 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2025-63743
Vulnerability Analysis
This stored XSS vulnerability exists due to improper sanitization of user-controlled input in the Name and Surname profile fields within Snipe-IT. When a user updates their profile information, the application fails to properly encode or escape the input before rendering it in the Activity Report and profile views. This allows malicious JavaScript payloads embedded in these fields to execute in the browser context of any user who subsequently views the affected content.
Successful exploitation requires a specific condition: the profile's "Display Name" must not be set. When the Display Name is empty, the application falls back to using the raw Name and Surname fields for display, which allows the XSS payload to execute. This is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation).
Root Cause
The root cause lies in the application's use of the present()->fullName() and getFullNameAttribute() methods to render user names in various views. These methods did not properly escape HTML entities before output, allowing JavaScript injection. The fix replaces these vulnerable method calls with the safer display_name property, which applies proper sanitization.
Attack Vector
The attack is network-based and requires low-privilege authentication. An attacker needs only minimal access to log into the Snipe-IT system. Once authenticated, they can modify their own profile's Name or Surname fields to include malicious JavaScript. The payload persists in the database and executes whenever:
- An administrator or privileged user views the Activity Report
- Any user with sufficient permissions views the attacker's modified profile
The following patch demonstrates the security fix applied in v8.3.2:
// Security patch in app/Console/Commands/SendAcceptanceReminder.php
// Changed from vulnerable fullName() method to safe display_name property
if(!$email){
$no_email_list[] = [
'id' => $acceptance->assignedTo?->id,
- 'name' => $acceptance->assignedTo?->present()->fullName(),
+ 'name' => $acceptance->assignedTo?->display_name,
];
} else {
$count++;
Source: GitHub Commit Changes
// Security patch in app/Http/Controllers/Api/AssetsController.php
// Updated to use sanitized display_name property
$asset->use_text = $asset->present()->fullName;
if (($asset->checkedOutToUser()) && ($asset->assigned)) {
- $asset->use_text .= ' → ' . $asset->assigned->getFullNameAttribute();
+ $asset->use_text .= ' → ' . $asset->assigned->display_name;
}
Source: GitHub Commit Changes
Detection Methods for CVE-2025-63743
Indicators of Compromise
- User profile Name or Surname fields containing HTML tags, <script> elements, or JavaScript event handlers (e.g., onerror, onload)
- Database entries in the users table with suspicious content in first_name or last_name columns
- Unexpected JavaScript execution or browser console errors when viewing Activity Reports
- User accounts with empty Display Name fields combined with suspicious Name/Surname values
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS patterns in form submissions to profile update endpoints
- Configure database query auditing to flag INSERT/UPDATE operations on user profile fields containing script tags or event handlers
- Monitor application logs for unusual patterns in profile modification requests
- Deploy Content Security Policy (CSP) headers to mitigate the impact of successful XSS exploitation
Monitoring Recommendations
- Enable detailed access logging on the Snipe-IT Activity Report and user profile endpoints
- Set up alerts for profile modifications that include HTML special characters or JavaScript syntax
- Periodically audit user profile data for anomalous entries
- Monitor for CSP violation reports if Content Security Policy is implemented
How to Mitigate CVE-2025-63743
Immediate Actions Required
- Upgrade Snipe-IT to version v8.3.2 or later immediately
- Audit existing user profiles for any suspicious JavaScript or HTML content in Name and Surname fields
- Review Activity Report logs for evidence of exploitation attempts
- Ensure all user accounts have their Display Name field properly configured as a secondary mitigation
Patch Information
The vulnerability is fixed in Snipe-IT version v8.3.2. The patch modifies the application to use the display_name property instead of the vulnerable present()->fullName() and getFullNameAttribute() methods. The security commit can be reviewed at the GitHub Commit Changes. Additional vulnerability details are available at the GitHub CVE Collection.
Workarounds
- Ensure all user accounts have their Display Name field populated to prevent fallback to the vulnerable Name/Surname rendering
- Implement input validation at the application or WAF level to reject HTML/JavaScript in profile fields
- Deploy strict Content Security Policy headers to prevent inline script execution
- Restrict access to Activity Reports to only essential administrative personnel until patching is complete
# Example: Database query to identify potentially compromised user profiles
# Run against your Snipe-IT database to audit for suspicious entries
mysql -u snipeit_user -p snipeit_db -e "
SELECT id, username, first_name, last_name, display_name
FROM users
WHERE first_name LIKE '%<script%'
OR first_name LIKE '%onerror%'
OR last_name LIKE '%<script%'
OR last_name LIKE '%onerror%'
OR first_name LIKE '%javascript:%'
OR last_name LIKE '%javascript:%';
"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
