Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64176

CVE-2025-64176: Thinkdashboard XSS Vulnerability

CVE-2025-64176 is a stored XSS vulnerability in Thinkdashboard that allows attackers to upload malicious files via the backup import feature. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-64176 Overview

CVE-2025-64176 is an unrestricted file upload vulnerability in ThinkDashboard, a self-hosted bookmark dashboard written in Go and vanilla JavaScript. Versions 0.6.7 and earlier allow attackers to upload arbitrary files to the /data directory through the backup import feature. The import routine relies on client-side file type validation, which an attacker bypasses by submitting a crafted .zip archive. The uploaded contents can enable stored cross-site scripting (XSS), malware staging, or other malicious payload delivery. The issue is fixed in ThinkDashboard version 0.6.8.

Critical Impact

An unauthenticated attacker who can lure a victim to import a malicious backup archive can plant arbitrary files in the application's /data directory, enabling stored XSS and further payload distribution.

Affected Products

  • ThinkDashboard versions 0.6.7 and below
  • Vendor: matiasdesuu
  • Component: matiasdesuu:thinkdashboard

Discovery Timeline

  • 2025-11-06 - CVE-2025-64176 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64176

Vulnerability Analysis

The vulnerability resides in ThinkDashboard's backup import handler. The application accepts a .zip archive from the user and extracts its contents into the server-side /data directory. File type restrictions are enforced only in the browser, so a crafted archive fully bypasses validation. Because extracted files are served by the web application, an attacker can plant HTML or JavaScript files that execute in the victim's browser session, resulting in stored XSS. The same primitive lets an attacker overwrite legitimate assets such as icons or fonts, or drop arbitrary binaries for later retrieval as part of a malware distribution chain. The weakness maps to [CWE-434] Unrestricted Upload of File with Dangerous Type and [CWE-20] Improper Input Validation.

Root Cause

The import handler in handlers.go did not validate the filenames or file types contained inside the imported archive on the server side. Any entry in the archive was written to /data without allow-list enforcement or path sanitization.

Attack Vector

Exploitation requires user interaction. An attacker crafts a malicious .zip archive containing files with arbitrary names and content, then convinces an authenticated ThinkDashboard user to import it via the backup restore feature. Once written to /data, malicious HTML or JavaScript is served in the application's origin, executing in the context of subsequent visitors.

go
// Patch: server-side filename allow-list in handlers.go
// Source: https://github.com/MatiasDesuu/ThinkDashboard/commit/18d2f6aded0d6424cc4c8619731dd20563f4cfd8

// isValidImportFilename validates that the filename is safe and allowed for import
func (h *Handlers) isValidImportFilename(filename string) bool {
	// Prevent path traversal
	if strings.Contains(filename, "..") || strings.Contains(filename, "/") || strings.Contains(filename, "\\") {
		return false
	}

	// Allow only specific filenames with their extensions
	allowedFiles := []string{
		"settings.json",
		"colors.json",
		"pages.json",
		"favicon.ico",
		"favicon.png",
		"favicon.jpg",
		"favicon.gif",
		"font.woff",
		"font.woff2",
		"font.ttf",
		"font.otf",
	}

	// Check if it's one of the specific files
	for _, allowed := range allowedFiles {
		if filename == allowed {
			return true
		}
	}
	return false
}

The patch enforces both a strict filename allow-list and explicit path traversal checks before writing any imported file.

Detection Methods for CVE-2025-64176

Indicators of Compromise

  • Unexpected files in the ThinkDashboard /data directory that do not match the allow-listed set (settings.json, colors.json, pages.json, favicon.*, font.*).
  • HTML, JavaScript, or executable files present in /data following a backup import event.
  • Recent modifications to /data correlated with authenticated backup import HTTP requests.

Detection Strategies

  • Monitor filesystem changes to the ThinkDashboard /data directory and alert on writes of file extensions outside the expected JSON, font, and icon types.
  • Review web server access logs for POST requests to the backup import endpoint and correlate them with subsequent GET requests for anomalous file paths.
  • Inspect served HTTP responses from ThinkDashboard for unexpected Content-Type: text/html or application/javascript originating from /data.

Monitoring Recommendations

  • Enable file integrity monitoring on the ThinkDashboard data directory.
  • Log and retain all backup import requests, including originating IP and user account, for retrospective analysis.
  • Alert on browser Content Security Policy (CSP) violations that could indicate stored XSS execution.

How to Mitigate CVE-2025-64176

Immediate Actions Required

  • Upgrade ThinkDashboard to version 0.6.8 or later, which enforces server-side filename validation.
  • Audit the /data directory for files outside the expected allow-list and remove any unauthorized entries.
  • Restrict access to the ThinkDashboard instance to trusted users and networks until patching is complete.

Patch Information

The fix is delivered in ThinkDashboard 0.6.8 via commit 18d2f6a, which introduces the isValidImportFilename server-side allow-list. Details are available in the GitHub Security Advisory GHSA-jvmw-hg62-jr47 and the upstream commit.

Workarounds

  • Disable or block access to the backup import endpoint via a reverse proxy rule until the upgrade is applied.
  • Place ThinkDashboard behind an authenticating reverse proxy and restrict import functionality to administrators only.
  • Deploy a strict Content Security Policy that disallows inline scripts and restricts script sources to reduce the impact of stored XSS.
bash
# Example nginx rule to block the backup import endpoint until patched
location ~* /import {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.