CVE-2025-34282
📋 TL;DR
This SSRF vulnerability in ThingsBoard allows attackers to upload malicious SVG files that trigger outbound requests from the server. Attackers can exploit this to access internal services and resources that should not be externally accessible. All ThingsBoard instances running vulnerable versions with the Image Upload Gallery feature enabled are affected.
💻 Affected Systems
- ThingsBoard
📦 What is this software?
Thingsboard by Thingsboard
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal network via SSRF to access sensitive internal services, potentially leading to data exfiltration or lateral movement.
Likely Case
Information disclosure from internal services, reconnaissance of internal network structure, and potential access to cloud metadata services.
If Mitigated
Limited impact with proper network segmentation and egress filtering, though some information disclosure may still occur.
🎯 Exploit Status
Exploitation requires authenticated access to upload SVG files. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.1
Vendor Advisory: https://github.com/thingsboard/thingsboard/releases/tag/v4.2.1
Restart Required: Yes
Instructions:
1. Backup your ThingsBoard instance and data. 2. Download version 4.2.1 from the official repository. 3. Follow the upgrade instructions for your deployment method (Docker, package, source). 4. Restart the ThingsBoard service.
🔧 Temporary Workarounds
Disable Image Upload Gallery
allTemporarily disable the vulnerable feature until patching is possible
Modify ThingsBoard configuration to disable image upload functionality or restrict access to the feature
Restrict SVG Uploads
allImplement file upload filtering to block SVG files
Configure web application firewall or reverse proxy to block SVG file uploads to /api/dashboard/images endpoint
🧯 If You Can't Patch
- Implement strict network egress filtering to block outbound requests from ThingsBoard servers to internal networks
- Deploy web application firewall rules to detect and block SVG files containing external URL references
🔍 How to Verify
Check if Vulnerable:
Check if your ThingsBoard version is below 4.2.1 and if the Image Upload Gallery feature is accessibleCheck Version:
Check the ThingsBoard UI admin panel or run: docker exec thingsboard cat /usr/share/thingsboard/conf/tb-core.yml | grep versionVerify Fix Applied:
Verify version is 4.2.1 or higher and test that SVG files with external references no longer trigger outbound requests📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from ThingsBoard server
- Multiple SVG file uploads from single user
- Requests to internal IP ranges or cloud metadata endpoints
Network Indicators:
- Outbound HTTP requests from ThingsBoard server to unexpected internal destinations
- Traffic patterns matching SSRF exploitation
SIEM Query:
source="thingsboard" AND (event="file_upload" AND file_extension="svg") OR (http_request AND src_ip="thingsboard_server" AND dst_ip="internal_range")