CVE-2025-61514
📋 TL;DR
An arbitrary file upload vulnerability in CoCalc allows attackers to upload malicious SVG files that can execute arbitrary code on the server. This affects all CoCalc instances running versions before commit 0d2ff58. Attackers could potentially gain control of the CoCalc server.
💻 Affected Systems
- SageMath, Inc CoCalc
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, lateral movement, and persistent backdoor installation.
Likely Case
Server-side code execution allowing data exfiltration, service disruption, or cryptocurrency mining.
If Mitigated
Limited impact if proper file upload restrictions and input validation are in place.
🎯 Exploit Status
Requires ability to upload files to CoCalc instance. SVG file parsing vulnerability leads to code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 0d2ff5890a3ae62e941aad8a5884dd765b7e98fc or later
Vendor Advisory: https://github.com/sagemathinc/cocalc/commit/0d2ff5890a3ae62e941aad8a5884dd765b7e98fc
Restart Required: No
Instructions:
1. Update CoCalc to commit 0d2ff58 or later. 2. Pull latest changes from GitHub repository. 3. Restart CoCalc service if using production deployment.
🔧 Temporary Workarounds
Disable SVG file uploads
allConfigure CoCalc to reject SVG file uploads entirely
Configure CoCalc settings to block .svg file extensions
Implement file upload restrictions
allAdd server-side validation for uploaded files
Implement MIME type checking and file signature validation
🧯 If You Can't Patch
- Implement strict file upload filtering and validation
- Isolate CoCalc instance in network segment with limited access
🔍 How to Verify
Check if Vulnerable:
Check if CoCalc version is before commit 0d2ff58 by examining git commit history or version metadata.Check Version:
git log --oneline -1Verify Fix Applied:
Confirm CoCalc is running commit 0d2ff58 or later using git log or version check.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads
- Unexpected process execution from CoCalc
- File upload errors or warnings
Network Indicators:
- HTTP POST requests with SVG files to upload endpoints
- Outbound connections from CoCalc server to unknown destinations
SIEM Query:
source="cocalc" AND (file_extension=".svg" OR process_execution="unexpected")