CVE-2025-65622: Snipe-IT Locations ‘Country’ Field Vulnerable to Stored XSS

Overview

CVE-2025-65622 describes a stored Cross-Site Scripting (XSS) vulnerability found in Snipe-IT, specifically affecting versions prior to 8.3.4. This vulnerability resides in the “Country” field within the Locations module. A low-privileged authenticated user can inject malicious JavaScript code that will be stored and executed in the context of other users’ sessions who access the same location data.

Technical Details

The vulnerability stems from insufficient input sanitization and output encoding of the “Country” field within the Locations section of Snipe-IT. A malicious user can inject JavaScript code into this field. When another user views or interacts with the affected location data, the injected script executes in their browser. Because Snipe-IT did not properly escape the “Country” field data before rendering it in the browser, the browser interprets the injected code as part of the application’s legitimate code, leading to the XSS vulnerability.

The PoC (Proof of Concept) and further analysis can be found in the provided references.

CVSS Analysis

As of the publication of this article, the CVSS score and severity for CVE-2025-65622 are currently listed as N/A. This is likely due to the vulnerability being newly discovered or still under investigation. However, given the nature of stored XSS vulnerabilities, it’s crucial to address this issue promptly, as it can lead to significant security risks.

Possible Impact

A successful XSS attack can have several severe consequences:

• Session Hijacking: Attackers could steal a user’s session cookies and impersonate them.
• Data Theft: Sensitive information displayed within Snipe-IT, such as asset details, user data, or license keys, could be stolen.
• Defacement: The attacker can modify the appearance of the Snipe-IT interface.
• Malware Distribution: Users could be redirected to malicious websites or unknowingly download malware.
• Privilege Escalation: If the targeted user has higher privileges, the attacker could potentially gain administrative access to the system.

Mitigation or Patch Steps

The primary mitigation for CVE-2025-65622 is to upgrade Snipe-IT to version 8.3.4 or later. This version includes the necessary security fixes to properly sanitize and encode user input, preventing the execution of malicious JavaScript code.

1. Upgrade Snipe-IT: The recommended approach is to upgrade to the latest stable version of Snipe-IT (8.3.4 or later). Refer to the official Snipe-IT upgrade documentation on snipeitapp.com for detailed instructions.
2. Input Sanitization (If patching isn’t immediately possible): While not recommended as a primary defense, consider implementing or enhancing input sanitization on the “Country” field to filter out potentially malicious characters. This is a temporary measure and should not replace the official patch.
3. Web Application Firewall (WAF): Employing a WAF can help detect and block XSS attacks. Configure your WAF to filter out potentially malicious requests targeting the “Country” field.

References

• Snipe-IT Official Website: http://snipeitapp.com
• Vulnerability Research: https://github.com/firef0x00/vulnerability-research/tree/main/CVE-2025-65622