CVE-2025-62793
📋 TL;DR
eLabFTW versions before 5.3.0 serve uploaded SVG files inline without proper sanitization, allowing stored cross-site scripting (XSS) attacks. An attacker can upload a malicious SVG file that executes JavaScript when viewed, potentially hijacking user sessions, exfiltrating data, or performing unauthorized actions. This affects all users of vulnerable eLabFTW instances, particularly research labs using the software for electronic lab notebooks.
💻 Affected Systems
- eLabFTW
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full control of victim accounts, leading to data theft, session hijacking, or unauthorized modifications to lab data, potentially compromising research integrity.
Likely Case
Session hijacking or data exfiltration from users who view or interact with the malicious SVG, resulting in unauthorized access to sensitive lab information.
If Mitigated
Limited impact if SVG uploads are restricted or users are trained to avoid suspicious files, but risk remains if the vulnerability is unpatched.
🎯 Exploit Status
Exploitation requires an attacker to upload a crafted SVG file and a victim to view it; no authentication bypass is needed, but user interaction is involved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.3.0
Vendor Advisory: https://github.com/elabftw/elabftw/security/advisories/GHSA-rq98-8jh9-684f
Restart Required: No
Instructions:
1. Backup your eLabFTW instance and database. 2. Update to version 5.3.0 or later using the official upgrade instructions at https://doc.elabftw.net/upgrading.html. 3. Verify the update by checking the version in the application settings.
🔧 Temporary Workarounds
Disable SVG file uploads
allRestrict or block SVG file uploads in eLabFTW configuration to prevent malicious uploads.
Modify eLabFTW configuration to set allowed file types excluding SVG; refer to documentation for specific steps.
🧯 If You Can't Patch
- Implement strict content security policies (CSP) to block inline scripts and limit script execution from SVG files.
- Monitor and audit SVG file uploads and user interactions with uploaded files for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check the eLabFTW version in the application settings or via the web interface; if it is below 5.3.0, the instance is vulnerable.Check Version:
Access the eLabFTW web interface and navigate to the settings or about page to view the version, or check the server logs for version information.Verify Fix Applied:
After updating, confirm the version is 5.3.0 or higher and test by uploading a benign SVG file to ensure it is served with proper security headers or sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads, especially with script-like content; multiple failed or successful upload attempts from single IPs.
Network Indicators:
- HTTP requests for SVG files with parameters or payloads indicative of XSS attempts; spikes in SVG file downloads.
SIEM Query:
Example: 'source="elabftw_logs" AND (file_extension="svg" OR file_type="image/svg+xml") AND (event="upload" OR event="download")'