Overview
CVE-2025-66512 is a medium-severity vulnerability affecting Nextcloud Server and Server Enterprise. This vulnerability allows a malicious user to potentially bypass the Content Security Policy (CSP) by tricking a user into viewing a specially crafted SVG file outside of the Nextcloud Server’s web page context. This could lead to cross-site scripting (XSS) or other malicious activities.
Technical Details
The vulnerability stems from a missing sanitization check when handling uploaded SVG files. A malicious user can craft an SVG file containing JavaScript code or other potentially harmful content. If a user then views this SVG file in a way that bypasses Nextcloud’s intended CSP (e.g., by directly accessing the file URL), the malicious content within the SVG can be executed. The vulnerability exists in Nextcloud Server and Server Enterprise versions prior to 31.0.12 and 32.0.3.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-66512 is 5.4 (Medium).
This score reflects the potential for exploitation and the impact on confidentiality, integrity, and availability.
Possible Impact
Successful exploitation of this vulnerability could lead to:
- Cross-Site Scripting (XSS): An attacker could inject malicious scripts into the user’s browser, potentially stealing cookies, session tokens, or redirecting the user to a malicious website.
- Information Disclosure: Sensitive information stored within the Nextcloud instance could be accessed by the attacker.
- Account Takeover: In certain circumstances, an attacker might be able to gain control of a user’s account.
Mitigation and Patch Steps
To mitigate this vulnerability, it is highly recommended to upgrade your Nextcloud Server or Server Enterprise instance to the following versions or later:
- Nextcloud Server: Version 31.0.12
- Nextcloud Server Enterprise: Version 32.0.3
Upgrading to these versions includes the necessary patches to properly sanitize SVG files and prevent CSP bypass.
