Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65465

CVE-2025-65465: Skrol29 TbsZip XSS Vulnerability

CVE-2025-65465 is a reflected Cross-Site Scripting flaw in Skrol29 TbsZip that enables attackers to execute malicious scripts via crafted filenames. This article covers technical details, affected versions, and patches.

Published:

CVE-2025-65465 Overview

A reflected Cross-Site Scripting (XSS) vulnerability exists in the RaiseError function of Skrol29 TbsZip version 2.17 and earlier. This flaw allows remote attackers to execute arbitrary web scripts or HTML by crafting a malicious payload within a filename parameter, such as when passed to the FileRead function. The vulnerability occurs because error messages are not properly sanitized before being rendered to the user, enabling injection of malicious content into the browser context.

Critical Impact

Attackers can execute arbitrary JavaScript in the context of a victim's browser session, potentially leading to session hijacking, credential theft, or redirection to malicious sites.

Affected Products

  • Skrol29 TbsZip version 2.17 and earlier
  • Applications using TbsZip library for ZIP file handling
  • OpenTBS implementations relying on vulnerable TbsZip versions

Discovery Timeline

  • 2026-03-02 - CVE CVE-2025-65465 published to NVD
  • 2026-03-02 - Last updated in NVD database

Technical Details for CVE-2025-65465

Vulnerability Analysis

This reflected XSS vulnerability (CWE-79) stems from improper input validation in the TbsZip library's error handling mechanism. When a user supplies a specially crafted filename to functions like FileRead, any error generated includes the unsanitized filename in the error output. Because the error message is directly rendered to the user without proper encoding or escaping, an attacker can inject HTML or JavaScript that will execute in the victim's browser.

The attack requires user interaction—typically, a victim must be tricked into clicking a malicious link containing the crafted payload. Once executed, the malicious script runs with the same privileges as the victim's session, enabling various attacks including cookie theft, session hijacking, and phishing.

Root Cause

The root cause lies in the RaiseError function's failure to sanitize user-controlled input before including it in error messages. When a malformed or specially crafted filename is provided, the error handling routine outputs the filename directly to the browser without applying HTML entity encoding, escaping special characters, or implementing Content Security Policy headers to mitigate script execution.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker constructs a URL containing a malicious JavaScript payload embedded in a filename parameter. When a victim clicks this link and an error is triggered, the malicious script executes in the victim's browser session. This is a reflected XSS attack, meaning the payload is not stored on the server but is immediately reflected back to the user.

The vulnerability allows attackers to:

  • Steal session cookies and authentication tokens
  • Perform actions on behalf of the authenticated user
  • Redirect users to phishing or malware distribution sites
  • Modify page content to display fraudulent information

For technical details and proof-of-concept code, see the GitHub Gist PoC Code referenced in the CVE disclosure.

Detection Methods for CVE-2025-65465

Indicators of Compromise

  • Unusual HTTP requests containing JavaScript or HTML tags within filename parameters
  • Web server logs showing URL-encoded script tags (e.g., %3Cscript%3E) in query strings targeting TbsZip functions
  • Client-side errors or unexpected script execution when processing ZIP file operations
  • Reports from users about unexpected browser behavior or redirections

Detection Strategies

  • Implement Web Application Firewall (WAF) rules to detect and block common XSS patterns in URL parameters
  • Monitor HTTP request logs for suspicious filename parameters containing HTML or script tags
  • Deploy browser-based XSS detection tools or Content Security Policy violation reporting
  • Utilize SIEM solutions to correlate web server logs with known XSS attack patterns

Monitoring Recommendations

  • Enable detailed logging for web applications utilizing TbsZip to capture all input parameters
  • Configure alerting for requests containing special characters such as <, >, ", and ' in filename fields
  • Review Content Security Policy headers to ensure proper script-src directives are in place
  • Regularly audit third-party library versions to identify outdated or vulnerable dependencies

How to Mitigate CVE-2025-65465

Immediate Actions Required

  • Upgrade TbsZip to version 2.18 or later, which contains the fix for this vulnerability
  • Review applications using TbsZip and identify all instances where user input is passed to library functions
  • Implement Content Security Policy headers to reduce the impact of potential XSS attacks
  • Deploy WAF rules to filter malicious input while patching is underway

Patch Information

The vulnerability has been fixed in TbsZip version 2.18. Users should upgrade immediately to this version or later. The patched version properly sanitizes error message output to prevent XSS injection. The fix is available in the TbsZip v2.18 Release on GitHub.

Additional resources:

Workarounds

  • Implement server-side input validation to reject filenames containing HTML or script characters before passing them to TbsZip functions
  • Deploy a Web Application Firewall with XSS filtering rules to block malicious payloads at the network perimeter
  • Configure Content Security Policy headers with restrictive script-src directives to prevent inline script execution
  • Wrap TbsZip error handling in custom sanitization routines that escape HTML entities before output
bash
# Configuration example - Apache Content Security Policy header
# Add to .htaccess or Apache configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.