CVE-2025-45388
📋 TL;DR
Wagtail CMS 6.4.1 has a stored XSS vulnerability in document upload functionality where attackers can embed malicious JavaScript in PDF files. When users click these documents in the CMS interface, the payload executes in their browser context. This primarily affects Wagtail administrators and editors who handle uploaded documents.
💻 Affected Systems
- Wagtail CMS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, deface the CMS interface, or redirect users to malicious sites.
Likely Case
Session hijacking of CMS administrators leading to content manipulation, privilege escalation, or data exfiltration from the admin interface.
If Mitigated
Limited impact with proper Content Security Policy headers and file serving configurations that prevent script execution from uploaded files.
🎯 Exploit Status
Exploitation requires attacker to upload a malicious PDF document, which typically requires some level of access to the CMS (at least document upload permissions). The vulnerability is disputed by the vendor regarding responsibility for file serving configurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not applicable
Vendor Advisory: https://github.com/wagtail/wagtail/discussions/12617
Restart Required: No
Instructions:
No official patch exists as this is considered a configuration issue. Follow workarounds and ensure proper file serving configurations.
🔧 Temporary Workarounds
Configure proper Content-Type headers
allEnsure uploaded documents are served with appropriate Content-Type headers that prevent browser execution of embedded scripts.
Configure your web server (nginx/apache) or CDN to serve PDF files with 'Content-Type: application/pdf' and 'Content-Disposition: attachment' headers
Implement Content Security Policy
allAdd CSP headers to prevent inline script execution from uploaded documents.
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to your web server configuration
🧯 If You Can't Patch
- Restrict document upload permissions to trusted users only
- Implement file type validation and scanning for uploaded documents
🔍 How to Verify
Check if Vulnerable:
Check if uploaded PDF files are served with proper Content-Type headers and if scripts embedded in PDFs can execute in the browser context.Check Version:
python -c "import wagtail; print(wagtail.__version__)"Verify Fix Applied:
Test by uploading a PDF with embedded JavaScript and verify it doesn't execute when accessed through the CMS interface.📡 Detection & Monitoring
Log Indicators:
- Unusual PDF uploads from unexpected sources
- Multiple failed upload attempts with malformed files
Network Indicators:
- HTTP requests for documents with unusual parameters or from unexpected referrers
SIEM Query:
source="wagtail" AND (event="document_upload" OR event="file_upload") AND file_extension="pdf"🔗 References
- https://docs.wagtail.org/en/stable/deployment/under_the_hood.html#documents
- https://github.com/echoBRT/Wagtail-CMS-XSS/
- https://github.com/wagtail/wagtail/discussions/12617
- https://github.com/wagtail/wagtail/pull/12672
- https://github.com/wagtail/wagtail/wiki/Security-team
- https://github.com/echoBRT/Wagtail-CMS-XSS/
