Overview
CVE-2025-64027 details a reflected Cross-Site Scripting (XSS) vulnerability found in Snipe-IT version 8.3.4 (build 20218). This vulnerability resides within the CSV import workflow and allows an attacker to inject arbitrary HTML or JavaScript code into the application’s user interface. This occurs when an invalid CSV file is uploaded, and the resulting error message, specifically the `progress_message`, is rendered without proper sanitization.
Technical Details
The vulnerability is triggered when an administrator attempts to import a malformed CSV file. Snipe-IT then returns an error message as part of the `progress_message` value. However, the application fails to properly sanitize this message before rendering it in the user’s browser. An attacker can intercept the POST request to `/livewire/update`, which handles the CSV import process, and modify the data being sent to inject malicious HTML or JavaScript code into the `progress_message` parameter. This injected code will then be executed within the context of the administrator’s browser when they view the import page. Because the server directly reflects this unsanitized input back to the user, this constitutes a reflected XSS attack.
Specifically:
- An administrator initiates a CSV import in Snipe-IT.
- The attacker intercepts the POST request to `/livewire/update`.
- The attacker modifies the POST data, injecting malicious JavaScript into the `progress_message` parameter. For example:
<script>alert('XSS Vulnerability')</script> - The server receives the modified request and saves the manipulated progress_message.
- When the administrator views the import page, the injected JavaScript executes in their browser.
CVSS Analysis
The CVSS score for this vulnerability is currently N/A, however, typical reflected XSS vulnerabilities are often rated as medium or high severity depending on the scope of impact. Because an authenticated admin is required to trigger the vulnerability, and the potential impact includes session hijacking and unauthorized data access, a high severity is possible. A CVSS score will be updated as soon as possible.
Possible Impact
Successful exploitation of this XSS vulnerability could have significant consequences:
- Account Takeover: An attacker could steal an administrator’s session cookie and gain complete control over the Snipe-IT instance.
- Data Theft: The attacker could inject JavaScript to exfiltrate sensitive data stored within Snipe-IT, such as asset information, user credentials, and financial details.
- Malware Distribution: The injected JavaScript could redirect users to malicious websites or trigger the download of malware.
- Defacement: The attacker could alter the appearance of the Snipe-IT interface to deface the application.
Mitigation and Patch Steps
To mitigate this vulnerability, the following steps should be taken:
- Upgrade Snipe-IT: Upgrade to a patched version of Snipe-IT that addresses this XSS vulnerability. Check the Snipe-IT official website or GitHub repository for updates. (Later versions than 8.3.4 should contain the fix.)
- Input Sanitization: Ensure that all user-supplied input, including data from CSV files, is properly sanitized before being displayed to users. Implement robust input validation and output encoding techniques.
- Web Application Firewall (WAF): Deploy a WAF to detect and block malicious requests containing XSS payloads.
- Content Security Policy (CSP): Implement a Content Security Policy (CSP) to restrict the sources from which the browser can load resources, mitigating the impact of XSS attacks.
- Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities in your Snipe-IT deployment.
