CVE-2025-57540 – A stored XSS vulnerability in Proxmox Virtual E... (How to Fix)

Q: What is the severity of CVE-2025-57540?

CVE-2025-57540 has a CVSS score of 5.4 (MEDIUM). A stored XSS vulnerability in Proxmox Virtual Environment's WebAuthn Relying Party configuration field allows authenticated users to inject malicious JavaScript. When other users view the Datacenter configuration page, the script executes in their browsers, enabling client-side attacks like session hijacking or credential theft. This affects Proxmox administrators with access to the Datacenter configuration interface.

📋 TL;DR

A stored XSS vulnerability in Proxmox Virtual Environment's WebAuthn Relying Party configuration field allows authenticated users to inject malicious JavaScript. When other users view the Datacenter configuration page, the script executes in their browsers, enabling client-side attacks like session hijacking or credential theft. This affects Proxmox administrators with access to the Datacenter configuration interface.

💻 Affected Systems

Products:

Proxmox Virtual Environment (PVE)

Versions: 8.4

Operating Systems: Debian-based Proxmox installations

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Datacenter configuration WebAuthn Relying Party field. Requires authenticated access to the web interface.

📦 What is this software?

Virtual Environment by Proxmox

View all CVEs affecting Virtual Environment →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated malicious user could steal administrator session cookies, perform actions as other users, or redirect to phishing sites, potentially leading to full cluster compromise.

🟠

Likely Case

Authenticated users with limited privileges could escalate privileges by stealing administrator sessions or performing unauthorized actions within the web interface.

🟢

If Mitigated

With proper access controls and input validation, impact is limited to authenticated users who can already access the Datacenter configuration page.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access to the web interface and knowledge of the vulnerable field. Proof-of-concept code is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.4-1 or later

Vendor Advisory: https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/page-2#post-792010

Restart Required: No

Instructions:

1. Update Proxmox packages via CLI: 'apt update && apt dist-upgrade' 2. Verify pve-manager version is 8.4-1 or higher 3. No service restart required

🔧 Temporary Workarounds

Input Validation via Web Interface

all

Manually validate and sanitize any input in the WebAuthn Relying Party field to prevent script injection

Restrict Datacenter Configuration Access

all

Limit access to Datacenter configuration page to only essential administrators

🧯 If You Can't Patch

Implement strict input validation for the WebAuthn Relying Party field to reject any script-like content
Restrict access to the Datacenter configuration page using Proxmox's permission system to only trusted administrators

🔍 How to Verify

Check if Vulnerable:

Check if pve-manager version is exactly 8.4: 'pveversion -v | grep pve-manager'

Check Version:

pveversion -v | grep pve-manager

Verify Fix Applied:

Verify pve-manager version is 8.4-1 or higher: 'pveversion -v | grep pve-manager'

📡 Detection & Monitoring

Log Indicators:

Unusual modifications to Datacenter configuration, particularly WebAuthn Relying Party field with script-like content

Network Indicators:

Unexpected JavaScript execution in Proxmox web interface, particularly on configuration pages

SIEM Query:

source="proxmox" AND (event="configuration_change" OR event="datacenter_modify") AND field="webauthn_relying_party" AND value CONTAINS "<script>"

📊 Metadata

CVE ID: CVE-2025-57540

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (6.7th percentile)

Published: September 9, 2025

Last Updated: September 17, 2025

🔗 References

https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/page-2#post-792010 Issue Tracking,Vendor Advisory
https://github.com/khankishiyev-j/bug-bounty/blob/main/proxmox-xss Exploit,Third Party Advisory
https://www.youtube.com/watch?v=-wvkN-7oT5U Broken Link
https://github.com/khankishiyev-j/bug-bounty/blob/main/proxmox-xss Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57540, you might also want to check these: