Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65027

CVE-2025-65027: Romm.app Romm XSS Vulnerability

CVE-2025-65027 is a stored XSS vulnerability in Romm.app Romm ROM Manager caused by unrestricted file uploads. Attackers can achieve admin account takeover through malicious SVG or HTML files. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-65027 Overview

CVE-2025-65027 is a stored Cross-Site Scripting (XSS) vulnerability in RomM, an open-source ROM Manager that lets users scan, enrich, browse, and play game collections. The flaw stems from multiple unrestricted file upload endpoints that accept malicious SVG or HTML files from authenticated users. When the uploaded files are served back to a victim, the browser executes embedded JavaScript in the application's origin. Combined with a Cross-Site Request Forgery (CSRF) misconfiguration, the issue enables full administrative account takeover. The vulnerability is tracked under [CWE-79] and is fixed in RomM versions 4.4.1 and 4.4.1-beta.2.

Critical Impact

An authenticated low-privileged user can chain stored XSS with CSRF to create rogue admin accounts, escalate their own role to admin, and take over the RomM instance.

Affected Products

  • RomM (rommapp/romm) versions prior to 4.4.1
  • RomM beta release 4.4.1-beta.1
  • Self-hosted RomM deployments exposing user upload functionality

Discovery Timeline

  • 2025-12-03 - CVE-2025-65027 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-65027

Vulnerability Analysis

RomM exposes several file upload endpoints that do not restrict content types or sanitize uploaded file contents. Authenticated users can upload SVG or HTML files containing inline <script> tags or event handlers such as onload. When another user, including an administrator, opens a URL pointing to the uploaded asset, the application serves the file with a renderable content type. The browser parses the SVG or HTML inline, executing the attacker's JavaScript within the RomM origin and session context.

Because the application also lacks proper CSRF protections on state-changing endpoints, the injected JavaScript can issue authenticated requests on behalf of the victim. An attacker can create a new administrator account, promote an existing low-privileged account to admin, or modify configuration. The chain converts a single authenticated upload into full application compromise.

Root Cause

The root cause is a combination of two design flaws. First, upload handlers fail to validate or sanitize file MIME types and content, allowing SVG and HTML payloads to be stored and later served as active content. Second, sensitive administrative endpoints do not enforce anti-CSRF tokens or SameSite cookie protections, allowing scripted requests from any same-origin context to succeed.

Attack Vector

The attack requires an authenticated low-privileged RomM account and user interaction from a victim with higher privileges. The attacker uploads a crafted SVG containing JavaScript through a vulnerable endpoint. The attacker then shares or embeds the resulting URL where an administrator will load it. Upon load, the script executes in the admin's browser session and issues forged requests to RomM's user-management API. The result is creation of a rogue administrator, privilege escalation of the attacker's account, or arbitrary configuration changes.

The vulnerability mechanism is documented in the RomM GitHub Security Advisory GHSA-v3c6-w996-f7hx.

Detection Methods for CVE-2025-65027

Indicators of Compromise

  • Uploaded files with .svg or .html extensions in RomM's user upload directories that contain <script>, onload=, or javascript: strings.
  • Unexpected creation of new administrator accounts or role changes in the RomM users table.
  • HTTP responses serving user-supplied content with Content-Type: image/svg+xml or text/html.
  • Outbound requests from administrator browser sessions to attacker-controlled domains immediately after viewing a RomM-hosted asset.

Detection Strategies

  • Inspect uploaded media for embedded scripting constructs using static content scanners on the RomM storage path.
  • Audit RomM application logs for upload requests followed by admin-role changes from the same session or IP.
  • Monitor reverse proxy logs for GET requests returning SVG or HTML content from user-controlled paths with Referer headers from RomM pages.

Monitoring Recommendations

  • Enable verbose audit logging for user role changes, admin account creation, and API token issuance in RomM.
  • Forward web server and application logs to a centralized analytics platform to correlate uploads with privilege changes.
  • Alert on any new account assigned the admin role outside of approved change windows.

How to Mitigate CVE-2025-65027

Immediate Actions Required

  • Upgrade RomM to version 4.4.1 or 4.4.1-beta.2 immediately.
  • Review the RomM users table and remove any unrecognized administrator accounts.
  • Rotate API tokens and force password resets for all RomM users, prioritizing admin accounts.
  • Restrict access to the RomM instance behind authentication-aware reverse proxies until patched.

Patch Information

The maintainers released fixes in RomM 4.4.1 and 4.4.1-beta.2. The patches add MIME validation on upload endpoints and CSRF protections on state-changing routes. Refer to the RomM Security Advisory GHSA-v3c6-w996-f7hx for upgrade instructions and release notes.

Workarounds

  • Disable file upload functionality for non-trusted users until the upgrade is applied.
  • Place RomM behind a reverse proxy that strips active content types from user upload paths or rewrites them to application/octet-stream.
  • Apply a strict Content Security Policy that disallows inline scripts and restricts script sources to the application origin.
bash
# Example nginx configuration to neutralize active content on the uploads path
location /assets/romm/resources/ {
    add_header Content-Security-Policy "default-src 'none'; script-src 'none'; style-src 'none'";
    add_header X-Content-Type-Options "nosniff";
    types { application/octet-stream svg html; }
    default_type application/octet-stream;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.