CVE-2025-64759 Overview
CVE-2025-64759 is a stored cross-site scripting (XSS) vulnerability in Homarr, an open-source dashboard application. The flaw exists in Homarr versions prior to 1.43.3 and stems from improper handling of user-uploaded SVG files. When a victim views a page that renders or redirects to a malicious SVG, attacker-controlled JavaScript executes in the victim's browser session. An attacker can abuse this behavior to add their own account to the credentials-admin group when an administrator triggers the rendering, granting full administrative access to the Homarr instance. The issue is patched in version 1.43.3.
Critical Impact
Successful exploitation grants attackers full administrative access to Homarr by elevating their account into the credentials-admin group when an administrator views the malicious SVG.
Affected Products
- Homarr versions prior to 1.43.3
- Homarr self-hosted dashboard deployments accepting user media uploads
- Homarr instances exposing the /api/user-medias/[id] route
Discovery Timeline
- 2025-11-19 - CVE-2025-64759 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64759
Vulnerability Analysis
The vulnerability is a stored XSS issue (CWE-79) compounded by improper input validation (CWE-20) and unrestricted file upload of dangerous content (CWE-434). Homarr allows authenticated users to upload media files, including SVG images. SVG is an XML-based format that can embed <script> tags and event handlers, which browsers execute when the file is rendered inline. Because the application served uploaded SVG content without sanitization, any embedded JavaScript ran in the origin of the Homarr dashboard. An attacker with low-privilege upload rights can stage a payload, then wait for an administrator to view the asset. The malicious script inherits the administrator's session and issues authenticated API calls, including assigning the attacker's account to the credentials-admin group.
Root Cause
The apps/nextjs/src/app/api/user-medias/[id]/route.ts handler returned uploaded media, including SVG files, without sanitizing embedded scripts or event handlers. SVGs were treated as static media rather than active web content, so neither a Content-Type override nor a sanitization layer prevented script execution when the file rendered in the browser.
Attack Vector
Exploitation requires authenticated access to upload media and user interaction by an administrator who views the resulting media URL. Once the SVG renders, the embedded script executes under the Homarr origin and acts with the viewer's privileges. The patch introduces isomorphic-dompurify to sanitize SVG content server-side before delivery.
// Patch: server-side SVG sanitization with DOMPurify
import { notFound } from "next/navigation";
import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";
import DOMPurify from "isomorphic-dompurify";
import { db, eq } from "@homarr/db";
import { medias } from "@homarr/db/schema";
Source: Homarr commit aaa23f3
// Next.js config update to externalize sanitization packages
typescript: { ignoreBuildErrors: true },
/**
* dockerode is required in the external server packages because of https://github.com/homarr-labs/homarr/issues/612
* isomorphic-dompurify and jsdom are required, see https://github.com/kkomelin/isomorphic-dompurify/issues/356
*/
serverExternalPackages: ["dockerode", "isomorphic-dompurify", "jsdom"],
Source: Homarr commit aaa23f3
Detection Methods for CVE-2025-64759
Indicators of Compromise
- Uploaded SVG files in Homarr media storage containing <script> tags, onload, onerror, or javascript: URIs.
- Unexpected additions of user accounts to the credentials-admin group in the Homarr database or audit logs.
- HTTP requests to /api/user-medias/[id] returning image/svg+xml responses immediately followed by privileged API calls from the same session.
Detection Strategies
- Inspect stored media on disk for SVG payloads that contain script content or event handler attributes before applying the patch.
- Review application access logs for sequences where an administrator session loaded a user-uploaded SVG and then issued group membership changes.
- Compare current credentials-admin group members against a known-good baseline and flag any unexplained additions.
Monitoring Recommendations
- Alert on any creation or modification of administrative group membership in Homarr.
- Monitor outbound requests from administrator browsers to unexpected domains shortly after viewing media URLs.
- Track upload volume and file types from non-administrator accounts to identify abnormal SVG submissions.
How to Mitigate CVE-2025-64759
Immediate Actions Required
- Upgrade Homarr to version 1.43.3 or later, which integrates isomorphic-dompurify server-side SVG sanitization.
- Audit existing media uploads and remove any SVG files containing scripts or event handler attributes.
- Review the credentials-admin group membership and revoke any accounts that should not hold administrative rights.
Patch Information
The fix is delivered in Homarr 1.43.3 via commit aaa23f3, which adds isomorphic-dompurify and jsdom as server-side dependencies and sanitizes SVG responses in apps/nextjs/src/app/api/user-medias/[id]/route.ts. See the Homarr Security Advisory GHSA-wj62-c5gr-2x53 for full details.
Workarounds
- Restrict media upload permissions to trusted users only until the upgrade is applied.
- Block SVG uploads at a reverse proxy or web application firewall by rejecting Content-Type: image/svg+xml to the user media endpoints.
- Force SVG responses to download rather than render inline by setting Content-Disposition: attachment and a non-rendering MIME type via an upstream proxy.
# Example NGINX rule to force SVG downloads from Homarr media endpoint
location ~ ^/api/user-medias/ {
proxy_pass http://homarr_upstream;
proxy_hide_header Content-Disposition;
add_header Content-Disposition "attachment" always;
add_header X-Content-Type-Options "nosniff" always;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

