CVE-2025-66512 Overview
CVE-2025-66512 is a Cross-Site Scripting (XSS) vulnerability affecting Nextcloud Server and Nextcloud Server Enterprise. The flaw stems from missing sanitization of uploaded Scalable Vector Graphics (SVG) files. Attackers can craft a malicious SVG and trick an authenticated user into viewing it outside of the Nextcloud web page context. When viewed outside the application, the browser does not enforce the Nextcloud Content Security Policy (CSP), allowing embedded scripts to execute. The issue affects Nextcloud Server and Server Enterprise versions prior to 31.0.12 and 32.0.3. The vulnerability is tracked under [CWE-79] and [CWE-80].
Critical Impact
A malicious user can bypass the Nextcloud Content Security Policy by convincing a victim to open an uploaded SVG outside of the Nextcloud web interface, enabling script execution in the victim's browser.
Affected Products
- Nextcloud Server prior to version 31.0.12
- Nextcloud Server prior to version 32.0.3
- Nextcloud Server Enterprise (same version ranges)
Discovery Timeline
- 2025-12-05 - CVE-2025-66512 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-66512
Vulnerability Analysis
Nextcloud Server allows users to upload and view files, including SVG images. SVG is an XML-based image format that natively supports embedded JavaScript through <script> tags and event handlers. To mitigate the inherent script execution risk in SVG rendering, Nextcloud relies on a Content Security Policy applied when SVGs are viewed within the Nextcloud web interface.
The vulnerability manifests when a victim is tricked into opening the uploaded SVG outside the Nextcloud application context, such as via a direct link that renders the file in the browser without the Nextcloud CSP being applied. In this state, malicious script content inside the SVG executes in the origin of the Nextcloud instance. The associated fix was delivered in the Nextcloud viewer component through pull request #3023.
Root Cause
The root cause is missing input sanitization of SVG file contents at upload or serving time. The application depends on CSP headers for defense, but those headers are not consistently applied across all rendering paths for user-uploaded SVG content, leaving a bypass condition when the file is opened outside of the Nextcloud web page.
Attack Vector
Exploitation requires network access and user interaction. An authenticated attacker uploads a weaponized SVG to a Nextcloud instance and then shares a crafted link or convinces a victim through social engineering to open it outside the standard viewer. When the browser renders the SVG directly, scripts embedded in the XML execute in the browser context, potentially exfiltrating session data or performing actions on behalf of the victim on the Nextcloud origin.
// Security patch fragment - css/viewer-init.css
/* extracted by css-entry-points-plugin */
-@import './init-CqqFQTg6.chunk.css';
+@import './init-BedwYrti.chunk.css';
@import './previewUtils-6cpbKhU6.chunk.css';
@import './NcActionButton-DyH89PpO.chunk.css';
@import './NcActionLink-Cay-IPuV.chunk.css';
Source: Nextcloud viewer commit 5044a27. The patch replaces the vulnerable viewer initialization chunk with a rebuilt version that includes updated SVG handling logic tied to the fix in PR #3023.
Detection Methods for CVE-2025-66512
Indicators of Compromise
- Uploaded SVG files containing <script> tags, onload=, onerror=, or javascript: URI schemes within the XML body.
- Web server access logs showing direct requests to SVG assets served from user data paths that are opened outside of the Nextcloud viewer routes.
- Outbound HTTP requests from user browsers to attacker-controlled domains immediately after accessing a Nextcloud-hosted SVG.
Detection Strategies
- Inspect user file uploads for SVGs containing executable script elements or event-handler attributes and quarantine matches for review.
- Correlate authenticated file upload events with subsequent share-link creation and access from external IP addresses within a short time window.
- Monitor browser telemetry for script execution originating from URLs that terminate in .svg served under the Nextcloud domain.
Monitoring Recommendations
- Alert on new SVG uploads from accounts that have not historically uploaded image content.
- Track CSP violation reports from the Nextcloud origin, since blocked script attempts may signal SVG-borne payloads.
- Log and review shared-link accesses referring to SVG resources, especially those accessed by unauthenticated or first-time visitors.
How to Mitigate CVE-2025-66512
Immediate Actions Required
- Upgrade Nextcloud Server and Nextcloud Server Enterprise to version 31.0.12 or 32.0.3, or later.
- Audit existing user-uploaded SVG files for embedded scripts and remove or sanitize suspicious content.
- Review recent share-link activity involving SVG files and revoke links associated with untrusted accounts.
Patch Information
The fix is delivered in Nextcloud Server 31.0.12 and 32.0.3. Technical details are published in the Nextcloud GitHub Security Advisory GHSA-qcw2-p26m-9gc5. The upstream code change is available in the Nextcloud viewer commit 5044a27 and the associated Nextcloud viewer pull request #3023. The original researcher submission is documented in HackerOne report #3357808.
Workarounds
- Restrict SVG uploads at the reverse proxy or web application firewall layer until the upgrade can be applied.
- Force SVG assets to be served with Content-Disposition: attachment so browsers download rather than render them inline.
- Educate users to avoid opening file links from untrusted Nextcloud accounts outside of the Nextcloud viewer interface.
# Example nginx configuration to force SVG download instead of inline render
location ~* \.svg$ {
add_header Content-Disposition "attachment";
add_header X-Content-Type-Options "nosniff";
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

