CVE-2025-66403 Overview
CVE-2025-66403 is a stored cross-site scripting (XSS) vulnerability affecting FileRise, a self-hosted web-based file manager that provides multi-file upload, editing, and batch operations capabilities. The vulnerability exists due to improper handling of uploaded SVG files, where the application accepts user-supplied SVG uploads without sanitizing or restricting embedded script content.
When a malicious SVG containing inline JavaScript or event-based payloads is uploaded, it is rendered directly in the browser whenever viewed within the application. Because SVGs are XML-based and allow scripting, malicious code executes in the origin context of the application, enabling full stored XSS attacks.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of authenticated users viewing malicious SVG files, potentially leading to session hijacking, credential theft, or unauthorized actions within the FileRise application.
Affected Products
- FileRise versions prior to 2.2.3
Discovery Timeline
- 2025-12-01 - CVE-2025-66403 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-66403
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting). The FileRise application fails to properly sanitize SVG file uploads, treating them as safe image formats despite SVGs being XML documents capable of containing embedded JavaScript.
The vulnerability carries a CVSS 3.1 score of 4.6 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. This indicates:
- Attack Vector: Network-based exploitation
- Attack Complexity: Low - no special conditions required
- Privileges Required: Low - authenticated user access needed
- User Interaction: Required - victim must view the malicious SVG
- Impact: Limited confidentiality and integrity impact, no availability impact
The EPSS (Exploit Prediction Scoring System) score is 0.029% with a percentile of 7.715, indicating relatively low exploitation probability in the wild.
Root Cause
The root cause lies in the application's file preview functionality, which treats SVG files identically to other safe image formats (JPG, PNG, GIF, etc.). The code failed to recognize that SVG files, unlike raster image formats, can contain executable JavaScript due to their XML-based structure.
In the vulnerable code path, SVG files were included in the list of previewable image formats, allowing the browser to render them with full script execution capabilities in the application's origin context.
Attack Vector
An attacker with file upload privileges can craft a malicious SVG file containing embedded JavaScript payloads. These payloads can utilize inline script tags or event-based attributes (such as onload, onclick, or onerror) to execute arbitrary code. When another user views the uploaded file through the FileRise interface, the malicious script executes with that user's session context.
The security patch removes SVG from the list of previewable formats and explicitly excludes it from thumbnail generation:
const safeUploader = escapeHTML(file.uploader || "Unknown");
let previewButton = "";
- if (/\.(jpg|jpeg|png|gif|bmp|webp|svg|ico|tif|tiff|eps|heic|pdf|mp4|webm|mov|mp3|wav|m4a|ogg|flac|aac|wma|opus|mkv|ogv)$/i.test(file.name)) {
+
+ const isSvg = /\.svg$/i.test(file.name);
+
+ // IMPORTANT: do NOT treat SVG as previewable
+ if (
+ !isSvg &&
+ /\.(jpg|jpeg|png|gif|bmp|webp|ico|tif|tiff|eps|heic|pdf|mp4|webm|mov|mp3|wav|m4a|ogg|flac|aac|wma|opus|mkv|ogv)$/i
+ .test(file.name)
+ ) {
let previewIcon = "";
- if (/\.(jpg|jpeg|png|gif|bmp|webp|svg|ico|tif|tiff|eps|heic)$/i.test(file.name)) {
+
+ // images (SVG explicitly excluded)
+ if (
+ /\.(jpg|jpeg|png|gif|bmp|webp|ico|tif|tiff|eps|heic)$/i
+ .test(file.name)
+ ) {
previewIcon = `<i class="material-icons">image</i>`;
} else if (/\.(mp4|mkv|webm|mov|ogv)$/i.test(file.name)) {
previewIcon = `<i class="material-icons">videocam</i>`;
Source: https://github.com/error311/FileRise/commit/f2ce43f18f0444f8f63f7c33758d1837dd5ba91e
The thumbnail generation logic was also patched:
// thumbnail
let thumbnail;
- if (/\.(jpe?g|png|gif|bmp|webp|svg|ico)$/i.test(file.name)) {
+ if (/\.(jpe?g|png|gif|bmp|webp|ico)$/i.test(file.name)) {
const cacheKey = previewURL; // include folder & file
if (window.imageCache && window.imageCache[cacheKey]) {
thumbnail = `<img
Source: https://github.com/error311/FileRise/commit/f2ce43f18f0444f8f63f7c33758d1837dd5ba91e
Detection Methods for CVE-2025-66403
Indicators of Compromise
- SVG files with embedded <script> tags in upload directories
- SVG files containing JavaScript event handlers such as onload, onclick, onerror, or onmouseover
- Unusual JavaScript execution patterns originating from SVG file rendering
- Session token exfiltration attempts from the FileRise application domain
Detection Strategies
Organizations can detect exploitation attempts through:
- Web Application Firewall (WAF) Rules: Configure rules to inspect SVG file uploads for embedded script content or event handlers
- Log Analysis: Monitor file upload logs for SVG files and correlate with suspicious user activity
- Content-Type Inspection: Alert on SVG files with unusual or obfuscated XML content
- Browser Security Headers: Monitor Content-Security-Policy (CSP) violation reports that may indicate script injection attempts
Monitoring Recommendations
Security teams should implement monitoring for:
- File upload activity targeting SVG files specifically
- JavaScript errors or execution from unexpected file paths
- Outbound network requests triggered during file preview operations
- Session cookie access patterns that may indicate theft attempts
How to Mitigate CVE-2025-66403
Immediate Actions Required
- Upgrade FileRise to version 2.2.3 or later immediately
- Audit existing uploaded SVG files for malicious content
- Consider removing or quarantining existing SVG uploads until they can be verified
- Implement Content-Security-Policy headers to restrict script execution sources
Patch Information
The vulnerability has been fixed in FileRise version 2.2.3. The patch modifies the file handling logic in public/js/domUtils.js and public/js/fileListView.js to explicitly exclude SVG files from in-browser preview and thumbnail generation.
The fix is available in commit f2ce43f18f0444f8f63f7c33758d1837dd5ba91e. For complete details, refer to the security advisory at https://github.com/error311/FileRise/security/advisories/GHSA-qrcv-vjvf-fr29.
Workarounds
If immediate upgrading is not possible, organizations can implement the following temporary mitigations:
# Block SVG uploads at the web server level (nginx example)
location /upload {
# Deny SVG file uploads
if ($request_filename ~* \.svg$) {
return 403;
}
}
# Alternative: Set Content-Disposition header to force download for SVG files
location ~* \.svg$ {
add_header Content-Disposition "attachment";
add_header X-Content-Type-Options "nosniff";
}
Additional workarounds include:
- Restricting file upload permissions to trusted users only
- Implementing server-side SVG sanitization before storage
- Serving uploaded files from a separate domain to isolate script execution context
- Configuring strict Content-Security-Policy headers to prevent inline script execution
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
