Login Sign Up

CVE-2025-51489

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

A stored XSS vulnerability in MoonShine versions before 3.12.5 allows attackers to upload malicious SVG files when creating or updating articles. When users open these SVG files, arbitrary JavaScript executes in their browser context. This affects all MoonShine deployments running vulnerable versions.

💻 Affected Systems

Products:
  • MoonShine
Versions: All versions < 3.12.5
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to have permissions to create or update articles. SVG file upload functionality must be enabled.

📦 What is this software?

Moonshine by Moonshine

View all CVEs affecting Moonshine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts through client-side attacks.

🟠

Likely Case

Attackers with article creation/update privileges could embed malicious scripts affecting users who view the SVG files, potentially leading to session hijacking or credential theft.

🟢

If Mitigated

With proper input validation and content security policies, the impact is limited to isolated client-side effects without server compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access with article management privileges. SVG files with embedded JavaScript payloads bypass existing filters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.12.5

Vendor Advisory: https://github.com/moonshine-software/moonshine

Restart Required: No

Instructions:

1. Update MoonShine to version 3.12.5 or later using composer update moonshine/moonshine. 2. Verify the update completed successfully. 3. Clear any cached files or assets.

🔧 Temporary Workarounds

Disable SVG uploads

all

Temporarily disable SVG file upload functionality in article creation/update forms

Implement Content Security Policy

all

Add CSP headers to restrict script execution from untrusted sources

🧯 If You Can't Patch

  • Restrict article creation/update permissions to trusted users only
  • Implement WAF rules to block SVG files with JavaScript content

🔍 How to Verify

Check if Vulnerable:

Check MoonShine version in composer.json or via composer show moonshine/moonshine

Check Version:

composer show moonshine/moonshine | grep version

Verify Fix Applied:

Confirm version is 3.12.5 or higher and test SVG upload with script payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual SVG file uploads
  • Multiple article updates from single user
  • Requests to SVG files with suspicious parameters

Network Indicators:

  • SVG files containing script tags or JavaScript code in uploads
  • Unusual outbound connections after SVG file access

SIEM Query:

source="moonShine" AND (file_extension="svg" AND (content="<script" OR content="javascript:"))

📊 Metadata

CVE ID: CVE-2025-51489
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.04% exploit probability (9.8th percentile)
Published: August 19, 2025
Last Updated: August 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-51489, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)