Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-70297

CVE-2025-70297: Mealie Stored XSS Vulnerability

CVE-2025-70297 is a stored XSS vulnerability in Mealie 3.3.1 that allows authenticated attackers to inject malicious scripts via SVG uploads. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-70297 Overview

A stored cross-site scripting (XSS) vulnerability has been identified in Mealie 3.3.1, specifically affecting the recipe asset upload and media serving component. This vulnerability allows remote authenticated users to inject arbitrary web script or HTML by uploading a malicious SVG file. When the uploaded file is served with the image/svg+xml content type and rendered by a victim's browser, the embedded scripts execute in the context of the victim's session.

Critical Impact

Authenticated attackers can persistently inject malicious scripts via SVG file uploads, potentially compromising user sessions, stealing credentials, or performing unauthorized actions on behalf of victims.

Affected Products

  • Mealie 3.3.1

Discovery Timeline

  • 2026-02-11 - CVE CVE-2025-70297 published to NVD
  • 2026-02-12 - Last updated in NVD database

Technical Details for CVE-2025-70297

Vulnerability Analysis

This stored XSS vulnerability (CWE-79) exists in Mealie's recipe asset upload functionality. The application fails to properly sanitize or validate SVG file uploads, allowing attackers to embed malicious JavaScript code within SVG files. Since the server serves these files with the image/svg+xml MIME type, browsers interpret and execute any embedded scripts when rendering the SVG content.

The attack requires authentication to upload the malicious file, but once uploaded, the payload persists on the server and executes whenever any user views the affected recipe or media content. This persistence makes the vulnerability particularly dangerous as it can affect multiple users over time without requiring further attacker interaction.

Root Cause

The root cause of this vulnerability is insufficient input validation and sanitization of uploaded SVG files in the recipe asset upload component. Mealie does not strip or neutralize potentially dangerous elements such as <script> tags, event handlers (e.g., onload, onerror), or other executable content within SVG files before storing and serving them to users.

Additionally, the server serves uploaded SVG files with the image/svg+xml content type without implementing Content-Security-Policy headers or other browser-side mitigations that could prevent script execution.

Attack Vector

The attack is network-based and requires user interaction from victims. An authenticated attacker uploads a crafted SVG file containing malicious JavaScript to the recipe asset upload functionality. The SVG file might contain embedded <script> elements or event handler attributes that execute JavaScript when the image is rendered.

When another user (including administrators) views the recipe containing the malicious SVG, their browser parses the SVG and executes the embedded script in the context of the Mealie application. This can lead to session hijacking, credential theft, or other malicious actions performed under the victim's identity.

For technical details and proof-of-concept information, refer to the GitHub CVE-2025-70297 Details and the GitHub Mealie Issue Discussion.

Detection Methods for CVE-2025-70297

Indicators of Compromise

  • SVG files uploaded to Mealie containing <script> tags or JavaScript event handlers
  • Unusual SVG file uploads with suspicious content patterns such as javascript:, onload=, onerror=, or onclick=
  • Web server logs showing requests for SVG files followed by unexpected JavaScript execution or API calls
  • User reports of unexpected behavior or session issues after viewing recipe content

Detection Strategies

  • Implement file content scanning for uploaded SVG files to detect embedded scripts, event handlers, and other potentially malicious elements
  • Monitor web application logs for suspicious SVG file uploads containing JavaScript-related patterns
  • Deploy Web Application Firewall (WAF) rules to inspect file upload payloads for XSS patterns in SVG content
  • Review stored SVG assets periodically for malicious content using automated security scanning tools

Monitoring Recommendations

  • Enable detailed logging for file upload activities in Mealie, including file type, size, and content hash
  • Configure alerting for SVG file uploads to trigger security review, especially in high-risk environments
  • Monitor for unusual session activity that may indicate XSS exploitation, such as unexpected password changes or privilege modifications
  • Implement Content-Security-Policy reporting to detect script execution from unexpected sources

How to Mitigate CVE-2025-70297

Immediate Actions Required

  • Audit existing uploaded SVG files in Mealie for malicious content and remove any suspicious files
  • Consider temporarily disabling SVG uploads until a patch is available or proper sanitization is implemented
  • Implement Content-Security-Policy headers with strict script-src directives to mitigate script execution from uploaded content
  • Educate users about the risk of viewing untrusted recipe content until the vulnerability is addressed

Patch Information

Monitor the official Mealie project for security updates. Review the GitHub Mealie Issue Discussion for patch availability and upgrade instructions. Update to a patched version as soon as one becomes available.

Workarounds

  • Configure the web server to serve SVG files with Content-Type: image/svg+xml replaced by Content-Disposition: attachment to force downloads instead of inline rendering
  • Implement server-side SVG sanitization using libraries like DOMPurify or svg-sanitizer to strip executable content before storage
  • Deploy a reverse proxy or WAF rule to block SVG uploads containing script-related patterns
  • Restrict SVG upload permissions to trusted administrators only until a permanent fix is deployed
bash
# Example nginx configuration to force SVG download instead of inline rendering
location ~* \.svg$ {
    add_header Content-Disposition "attachment";
    add_header X-Content-Type-Options "nosniff";
    add_header Content-Security-Policy "script-src 'none'";
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.