Login Sign Up

CVE-2025-57539

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in Proxmox Virtual Environment 8.4 allows authenticated users to inject malicious scripts into the U2F Origin field. When other users view the affected configuration page, the scripts execute in their browser context, potentially compromising their sessions. This affects all Proxmox VE 8.4 installations with authenticated user access.

💻 Affected Systems

Products:
  • Proxmox Virtual Environment
Versions: 8.4
Operating Systems: Debian-based Proxmox installations
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access to the Datacenter configuration interface.

📦 What is this software?

Virtual Environment by Proxmox

View all CVEs affecting Virtual Environment →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as other users, redirect to malicious sites, or deploy ransomware through the management interface.

🟠

Likely Case

Authenticated attackers with malicious intent could hijack administrator sessions to gain full control of the virtualization environment.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to authenticated users only, reducing exposure to trusted personnel.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access and knowledge of the Web UI. Proof-of-concept code is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Proxmox VE 8.5 or later

Vendor Advisory: https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/page-2#post-792010

Restart Required: No

Instructions:

1. Update Proxmox VE to version 8.5 or later using 'apt update && apt dist-upgrade'. 2. Verify the update completed successfully. 3. Clear browser cache to ensure new UI loads.

🔧 Temporary Workarounds

Input Validation via Web UI

all

Manually validate and sanitize all U2F Origin field inputs before saving configurations.

🧯 If You Can't Patch

  • Restrict access to Datacenter configuration to trusted administrators only.
  • Implement web application firewall (WAF) rules to block XSS payloads in U2F Origin fields.

🔍 How to Verify

Check if Vulnerable:

Check if running Proxmox VE version 8.4 using 'pveversion' command.

Check Version:

pveversion

Verify Fix Applied:

Verify version is 8.5 or later with 'pveversion' and test U2F Origin field input sanitization.

📡 Detection & Monitoring

Log Indicators:

  • Unusual modifications to Datacenter configuration
  • Multiple failed login attempts followed by configuration changes

Network Indicators:

  • Suspicious JavaScript payloads in HTTP POST requests to /api2/json/nodes/{node}/config

SIEM Query:

source="proxmox" AND (event="config_change" AND field="u2f_origin")

📊 Metadata

CVE ID: CVE-2025-57539
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.03% exploit probability (6.7th percentile)
Published: September 9, 2025
Last Updated: September 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57539, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)