Overview
A Cross-Site Scripting (XSS) vulnerability has been identified in Todoist version 8896, designated as CVE-2025-63317. This vulnerability resides in the /api/v1/uploads endpoint. The issue stems from a lack of sanitization applied to uploaded SVG files. Consequently, malicious JavaScript code embedded within a crafted SVG file can be executed when a user opens the attachment from within a task or comment in Todoist.
Technical Details
The vulnerability lies in the insufficient handling of SVG file uploads. Todoist v8896 does not properly sanitize uploaded SVG files before storing and serving them. An attacker can embed JavaScript code within an SVG file, such as using the <script> tag or event handlers (e.g., onload). When a user interacts with the uploaded SVG file (e.g., clicking to view it), the embedded JavaScript code is executed within the user’s browser in the context of the Todoist domain. This allows the attacker to potentially perform malicious actions on behalf of the user.
Example of a malicious SVG payload:
<svg xmlns="http://www.w3.org/2000/svg">
<script>
alert('XSS Vulnerability!');
// Potential malicious actions here, like stealing cookies or redirecting the user
</script>
</svg>
CVSS Analysis
Currently, a CVSS score for CVE-2025-63317 is N/A. However, given the nature of XSS vulnerabilities and their potential impact, it should be considered a medium to high severity issue. A CVSS score will likely be assigned as more information becomes available. Factors influencing the score would include: the scope of the vulnerability, the complexity of exploitation, and the impact on confidentiality, integrity, and availability.
Possible Impact
Successful exploitation of this XSS vulnerability can have significant consequences:
- Account Takeover: An attacker could steal a user’s session cookies, allowing them to impersonate the user and gain complete control of their Todoist account.
- Data Theft: Sensitive information stored within Todoist tasks and comments could be accessed and exfiltrated by the attacker.
- Malicious Redirects: Users could be redirected to phishing websites designed to steal their credentials or install malware.
- Defacement: The attacker could modify the content displayed to the user within the Todoist application.
- Spread of Malware: Malicious JavaScript could be used to download and execute malware on the user’s machine.
Mitigation and Patch Steps
To mitigate the risk of CVE-2025-63317, users and Todoist administrators should take the following steps:
- Update Todoist: Upgrade to a patched version of Todoist as soon as it becomes available. This is the most effective way to address the vulnerability.
- Be Cautious of Attachments: Exercise caution when opening attachments from unknown or untrusted sources.
- Input Sanitization (for Todoist Developers): Implement proper input sanitization on the server-side to strip potentially malicious code from uploaded SVG files. Specifically, remove or encode JavaScript-related elements and attributes.
- Content Security Policy (CSP): Implement a strong Content Security Policy (CSP) to restrict the sources from which the browser can load resources, limiting the impact of any successful XSS attacks.
