CVE-2025-64759: Critical Stored XSS Vulnerability Threatens Homarr Dashboards

Overview

CVE-2025-64759 describes a high-severity stored Cross-Site Scripting (XSS) vulnerability affecting versions of the Homarr dashboard prior to 1.43.3. This vulnerability allows an attacker to inject malicious JavaScript code that is persistently stored and executed in the browsers of users accessing the affected Homarr instance. Exploiting this vulnerability could lead to severe consequences, including account takeover and data compromise.

Technical Details

The vulnerability stems from the improper handling of uploaded SVG files within the Homarr application. Specifically, the application fails to adequately sanitize SVG files before rendering them. A malicious actor can craft a specially designed SVG file containing embedded JavaScript code. When a user, especially an administrator, views a page that renders or redirects to this malicious SVG file, the embedded JavaScript code is executed within their browser. This allows the attacker to perform actions on behalf of the user, including modifying application settings and potentially gaining administrative privileges.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) assigns this vulnerability a score of 8.1, indicating a high severity. This score reflects the potential for significant impact and the relative ease with which the vulnerability can be exploited.

• CVSS Score: 8.1
• Severity: HIGH

Possible Impact

Successful exploitation of this stored XSS vulnerability could have serious consequences:

• Account Takeover: An attacker could inject code to steal user credentials, including administrator accounts.
• Privilege Escalation: As described in the advisory, the attacker can potentially add their own account to the “credentials-admin” group, gaining full administrative access.
• Data Theft: Malicious scripts could be used to steal sensitive data displayed within the Homarr dashboard.
• Defacement: The attacker could modify the appearance of the dashboard, disrupting its functionality.
• Malware Distribution: The attacker could inject code to distribute malware to users visiting the compromised Homarr instance.

Mitigation and Patch Steps

The vulnerability has been addressed in Homarr version 1.43.3. It is strongly recommended to upgrade to this version or a later version as soon as possible.

1. Upgrade Homarr: The most effective mitigation is to upgrade your Homarr installation to version 1.43.3 or later. Follow the official Homarr upgrade instructions.
2. Verify SVG Handling: Even after upgrading, consider reviewing the application’s configuration for any settings related to SVG handling and ensure they are configured securely.
3. Regular Security Audits: Implement a regular security auditing process to identify and address potential vulnerabilities proactively.

References

• CVE ID: CVE-2025-64759
• Commit Patch: https://github.com/homarr-labs/homarr/commit/aaa23f37321be1e110f722b36889b2fd3bea2059
• GitHub Security Advisory: https://github.com/homarr-labs/homarr/security/advisories/GHSA-wj62-c5gr-2×53