CVE-2025-70297 Overview
A stored cross-site scripting (XSS) vulnerability has been identified in Mealie 3.3.1, specifically affecting the recipe asset upload and media serving component. This vulnerability allows remote authenticated users to inject arbitrary web script or HTML by uploading a malicious SVG file. When the uploaded file is served with the image/svg+xml content type and rendered by a victim's browser, the embedded scripts execute in the context of the victim's session.
Critical Impact
Authenticated attackers can persistently inject malicious scripts via SVG file uploads, potentially compromising user sessions, stealing credentials, or performing unauthorized actions on behalf of victims.
Affected Products
- Mealie 3.3.1
Discovery Timeline
- 2026-02-11 - CVE CVE-2025-70297 published to NVD
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2025-70297
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) exists in Mealie's recipe asset upload functionality. The application fails to properly sanitize or validate SVG file uploads, allowing attackers to embed malicious JavaScript code within SVG files. Since the server serves these files with the image/svg+xml MIME type, browsers interpret and execute any embedded scripts when rendering the SVG content.
The attack requires authentication to upload the malicious file, but once uploaded, the payload persists on the server and executes whenever any user views the affected recipe or media content. This persistence makes the vulnerability particularly dangerous as it can affect multiple users over time without requiring further attacker interaction.
Root Cause
The root cause of this vulnerability is insufficient input validation and sanitization of uploaded SVG files in the recipe asset upload component. Mealie does not strip or neutralize potentially dangerous elements such as <script> tags, event handlers (e.g., onload, onerror), or other executable content within SVG files before storing and serving them to users.
Additionally, the server serves uploaded SVG files with the image/svg+xml content type without implementing Content-Security-Policy headers or other browser-side mitigations that could prevent script execution.
Attack Vector
The attack is network-based and requires user interaction from victims. An authenticated attacker uploads a crafted SVG file containing malicious JavaScript to the recipe asset upload functionality. The SVG file might contain embedded <script> elements or event handler attributes that execute JavaScript when the image is rendered.
When another user (including administrators) views the recipe containing the malicious SVG, their browser parses the SVG and executes the embedded script in the context of the Mealie application. This can lead to session hijacking, credential theft, or other malicious actions performed under the victim's identity.
For technical details and proof-of-concept information, refer to the GitHub CVE-2025-70297 Details and the GitHub Mealie Issue Discussion.
Detection Methods for CVE-2025-70297
Indicators of Compromise
- SVG files uploaded to Mealie containing <script> tags or JavaScript event handlers
- Unusual SVG file uploads with suspicious content patterns such as javascript:, onload=, onerror=, or onclick=
- Web server logs showing requests for SVG files followed by unexpected JavaScript execution or API calls
- User reports of unexpected behavior or session issues after viewing recipe content
Detection Strategies
- Implement file content scanning for uploaded SVG files to detect embedded scripts, event handlers, and other potentially malicious elements
- Monitor web application logs for suspicious SVG file uploads containing JavaScript-related patterns
- Deploy Web Application Firewall (WAF) rules to inspect file upload payloads for XSS patterns in SVG content
- Review stored SVG assets periodically for malicious content using automated security scanning tools
Monitoring Recommendations
- Enable detailed logging for file upload activities in Mealie, including file type, size, and content hash
- Configure alerting for SVG file uploads to trigger security review, especially in high-risk environments
- Monitor for unusual session activity that may indicate XSS exploitation, such as unexpected password changes or privilege modifications
- Implement Content-Security-Policy reporting to detect script execution from unexpected sources
How to Mitigate CVE-2025-70297
Immediate Actions Required
- Audit existing uploaded SVG files in Mealie for malicious content and remove any suspicious files
- Consider temporarily disabling SVG uploads until a patch is available or proper sanitization is implemented
- Implement Content-Security-Policy headers with strict script-src directives to mitigate script execution from uploaded content
- Educate users about the risk of viewing untrusted recipe content until the vulnerability is addressed
Patch Information
Monitor the official Mealie project for security updates. Review the GitHub Mealie Issue Discussion for patch availability and upgrade instructions. Update to a patched version as soon as one becomes available.
Workarounds
- Configure the web server to serve SVG files with Content-Type: image/svg+xml replaced by Content-Disposition: attachment to force downloads instead of inline rendering
- Implement server-side SVG sanitization using libraries like DOMPurify or svg-sanitizer to strip executable content before storage
- Deploy a reverse proxy or WAF rule to block SVG uploads containing script-related patterns
- Restrict SVG upload permissions to trusted administrators only until a permanent fix is deployed
# Example nginx configuration to force SVG download instead of inline rendering
location ~* \.svg$ {
add_header Content-Disposition "attachment";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "script-src 'none'";
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
