CVE-2025-65622 Overview
CVE-2025-65622 is a stored cross-site scripting (XSS) vulnerability in Snipe-IT, an open-source IT asset management application. The flaw exists in versions before 8.3.4 and resides in the Country field of the Locations feature. A low-privileged authenticated user can inject JavaScript that executes in another user's browser session when they view the affected Location record. The issue is tracked under CWE-79 and impacts confidentiality and integrity by enabling session-context script execution.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in higher-privileged users' sessions, enabling account compromise, data exfiltration, and unauthorized actions within Snipe-IT.
Affected Products
- Snipe-IT versions prior to 8.3.4
- Snipeitapp Snipe-IT asset management platform
- Self-hosted and containerized Snipe-IT deployments
Discovery Timeline
- 2025-12-01 - CVE-2025-65622 published to NVD
- 2025-12-03 - Last updated in NVD database
Technical Details for CVE-2025-65622
Vulnerability Analysis
The vulnerability is a stored XSS condition affecting the Locations management module of Snipe-IT. When an authenticated user creates or edits a Location, the application accepts input in the Country field without sufficient output encoding. The injected payload is persisted in the application database and rendered when other users browse the Locations page or any view referencing the record.
Because Snipe-IT supports role-based access, a low-privileged user with permission to manage Locations can plant a payload that later executes in an administrator's session. The scope change captured in the CVSS vector reflects that the executed script crosses the security boundary of the originating user and runs under another user's authenticated context.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. The Country parameter in the Locations form is stored and later reflected in HTML output without contextual escaping. Standard mitigations such as HTML entity encoding or strict allow-list validation are not applied before rendering, allowing <script> tags and event handlers to execute.
Attack Vector
Exploitation requires network access to the Snipe-IT interface, a valid low-privileged account, and user interaction in the form of a victim viewing the malicious Location entry. An attacker authenticates, creates or modifies a Location, and supplies a JavaScript payload in the Country field. Once persisted, any user navigating to the Locations view executes the payload in their browser, enabling cookie theft, CSRF chaining, or UI manipulation.
Technical details are documented in the GitHub CVE-2025-65622 Research repository.
Detection Methods for CVE-2025-65622
Indicators of Compromise
- Location records containing HTML tags, <script>, javascript: URIs, or event handler attributes such as onerror, onload, or onmouseover in the Country field.
- Unexpected outbound HTTP requests from administrator browsers to attacker-controlled hosts after visiting the Locations page.
- Audit log entries showing Locations created or modified by low-privileged accounts immediately followed by privileged account activity.
Detection Strategies
- Query the Snipe-IT database for non-alphabetic characters in the locations.country column to surface suspicious entries.
- Inspect web server access logs for POST requests to /locations or /locations/{id} containing URL-encoded < or script substrings.
- Review browser Content Security Policy (CSP) violation reports for inline script execution originating from Snipe-IT pages.
Monitoring Recommendations
- Enable Snipe-IT activity logging and forward events to a centralized log platform for correlation across user roles.
- Alert on creation or modification of Location records by accounts that do not normally perform administrative configuration.
- Monitor for anomalous session token usage, such as the same session cookie appearing from multiple IP addresses shortly after Locations page views.
How to Mitigate CVE-2025-65622
Immediate Actions Required
- Upgrade Snipe-IT to version 8.3.4 or later, which contains the fix for the Locations Country field encoding issue.
- Audit existing Location records and remove any entries containing HTML markup or scripting syntax in the Country field.
- Restrict the permission to create and edit Locations to trusted administrative roles until patching is complete.
Patch Information
The vendor has addressed the issue in Snipe-IT 8.3.4. Administrators should follow the official upgrade procedure documented at Snipe-IT Application Overview and verify the running version after deployment. Containerized installations should pull the updated image and recreate the application container.
Workarounds
- Apply a Content Security Policy that disallows inline scripts (script-src 'self') to limit the impact of stored payloads.
- Place Snipe-IT behind a web application firewall configured to block XSS patterns in POST parameters targeting /locations.
- Temporarily revoke the Locations management permission from non-administrative roles until the upgrade is applied.
# Verify the installed Snipe-IT version and upgrade if below 8.3.4
php artisan --version
grep "'app_version'" config/version.php
# Upgrade procedure (self-hosted)
git fetch --tags && git checkout v8.3.4
php artisan migrate --force
php artisan config:cache
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
