CVE-2025-34281
📋 TL;DR
This CVE describes a stored cross-site scripting (XSS) vulnerability in ThingsBoard's Image Gallery feature. Authenticated users can upload malicious SVG images containing JavaScript, which executes when other users view those images via public API endpoints or embedded iframes. This affects all ThingsBoard users running versions before v4.2.1.
💻 Affected Systems
- ThingsBoard
📦 What is this software?
Thingsboard by Thingsboard
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack user sessions, perform unauthorized actions as other users, steal sensitive data, or compromise administrative accounts to take control of the ThingsBoard instance.
Likely Case
Authenticated attackers upload malicious SVG images that execute JavaScript in victims' browsers, potentially stealing session cookies, performing actions on behalf of users, or redirecting to phishing sites.
If Mitigated
With proper input validation and content security policies, malicious SVG uploads would be blocked or sanitized, preventing JavaScript execution while still allowing legitimate image display.
🎯 Exploit Status
Exploitation requires authenticated access to upload SVG files and relies on victims viewing the malicious content through specific endpoints or embedded widgets.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.2.1
Vendor Advisory: https://github.com/thingsboard/thingsboard/releases/tag/v4.2.1
Restart Required: No
Instructions:
1. Backup your ThingsBoard instance and data. 2. Stop the ThingsBoard service. 3. Upgrade to version 4.2.1 or later using your preferred deployment method (Docker, package manager, etc.). 4. Start the service and verify functionality.
🔧 Temporary Workarounds
Disable SVG uploads
allConfigure ThingsBoard to block SVG file uploads in the Image Gallery by modifying file type restrictions.
Modify ThingsBoard configuration to restrict allowed image types to non-SVG formats (e.g., PNG, JPG, GIF) in the image upload settings.
Implement Content Security Policy
allAdd Content Security Policy headers to prevent inline script execution from SVG files.
Add 'Content-Security-Policy: script-src 'self'' header to HTTP responses for image endpoints.
🧯 If You Can't Patch
- Restrict authenticated user permissions to prevent SVG uploads to the Image Gallery.
- Monitor and audit SVG file uploads through the Image Gallery feature for suspicious content.
🔍 How to Verify
Check if Vulnerable:
Check your ThingsBoard version. If it's earlier than 4.2.1, you are vulnerable. Test by uploading an SVG file with JavaScript content to the Image Gallery and attempting to trigger execution.Check Version:
Check the ThingsBoard web interface admin panel or run: docker exec thingsboard cat /usr/share/thingsboard/conf/thingsboard.yml | grep versionVerify Fix Applied:
After upgrading to 4.2.1 or later, attempt to upload an SVG containing JavaScript to the Image Gallery. The system should either reject the file or sanitize it to remove executable content.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads to the Image Gallery
- Multiple failed SVG upload attempts
- User sessions accessing malicious image endpoints
Network Indicators:
- HTTP requests to image endpoints with SVG files containing script tags
- Outbound connections from ThingsBoard to external domains following image views
SIEM Query:
source="thingsboard" AND (event="image_upload" AND file_extension="svg") OR (url_path="/api/images/" AND user_agent_contains="script")