CVE-2025-41080
📋 TL;DR
A stored XSS vulnerability in Seafile v12.0.10 allows attackers to inject malicious scripts via the 'p' parameter in file upload API endpoints. When victims access compromised files, the scripts execute in their browsers, potentially stealing session cookies or performing actions on their behalf. This affects all Seafile instances running the vulnerable version.
💻 Affected Systems
- Seafile
📦 What is this software?
Seafile by Seafile
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full control of the Seafile instance, exfiltrate all stored data, and use the compromised server as a pivot point for further network attacks.
Likely Case
Attackers steal user session cookies to access sensitive files, modify content, or impersonate users within the Seafile platform.
If Mitigated
Script execution is blocked by CSP headers or browser XSS filters, limiting impact to minor UI manipulation.
🎯 Exploit Status
Exploitation requires authenticated access to upload files, but once stored, the payload executes for any user viewing the file.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v12.0.11 or later
Vendor Advisory: https://www.seafile.com/en/download/
Restart Required: Yes
Instructions:
1. Backup your Seafile data and configuration. 2. Download the latest version from the official Seafile website. 3. Stop the Seafile service. 4. Replace the installation with the new version. 5. Restart the Seafile service. 6. Verify the version is updated.
🔧 Temporary Workarounds
Input Sanitization Filter
allImplement server-side filtering to sanitize the 'p' parameter in API requests before processing.
# Requires custom code modification to Seafile's API handler
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources.
# Add to web server config: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Disable file upload functionality via the vulnerable API endpoint if not required.
- Implement web application firewall rules to block malicious payloads in the 'p' parameter.
🔍 How to Verify
Check if Vulnerable:
Check if Seafile version is exactly 12.0.10 by examining the version file or admin interface.Check Version:
cat /opt/seafile/seafile-server-latest/seahub/seahub/settings.py | grep SEAFILE_VERSIONVerify Fix Applied:
Confirm version is 12.0.11 or higher and test file uploads with XSS payloads to ensure they're sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with JavaScript content in 'p' parameter
- Multiple failed XSS attempts in API logs
Network Indicators:
- HTTP POST requests to '/api/v2.1/repos/*/file/' with script tags in parameters
SIEM Query:
source="seafile.log" AND "POST /api/v2.1/repos/" AND ("<script>" OR "javascript:")