CVE-2025-63317 – Todoist v8896 contains a stored cross-site scri... (How to Fix)

Q: What is the severity of CVE-2025-63317?

CVE-2025-63317 has a CVSS score of 5.4 (MEDIUM). Todoist v8896 contains a stored cross-site scripting (XSS) vulnerability in its file upload API. Attackers can upload malicious SVG files containing JavaScript that executes when victims view the attachments, potentially stealing session cookies or performing actions on behalf of authenticated users. This affects all users of the vulnerable Todoist version who can upload or view attachments.

📋 TL;DR

Todoist v8896 contains a stored cross-site scripting (XSS) vulnerability in its file upload API. Attackers can upload malicious SVG files containing JavaScript that executes when victims view the attachments, potentially stealing session cookies or performing actions on behalf of authenticated users. This affects all users of the vulnerable Todoist version who can upload or view attachments.

💻 Affected Systems

Products:

Todoist

Versions: v8896

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web application interface. Mobile and desktop clients may also be affected depending on how they render SVG attachments.

📦 What is this software?

Todoist by Doist

View all CVEs affecting Todoist →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, hijack user accounts, perform actions as authenticated users, or redirect to phishing sites, potentially compromising entire Todoist accounts and associated data.

🟠

Likely Case

Attackers upload malicious SVG files as task attachments, which execute JavaScript when viewed by other users, potentially stealing session tokens or performing limited unauthorized actions.

🟢

If Mitigated

With proper content security policies and input validation, the impact is limited to potential UI manipulation without significant data theft or account takeover.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to upload files to Todoist (typically authenticated users). The GitHub reference shows proof-of-concept SVG files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: unknown

Vendor Advisory: none

Restart Required: No

Instructions:

1. Monitor Todoist for security updates. 2. Upgrade to a patched version when available. 3. Review release notes for XSS fixes in upload functionality.

🔧 Temporary Workarounds

Disable SVG uploads

all

Block SVG file uploads at the application or network level

Implement WAF rules

all

Add web application firewall rules to block malicious SVG content

🧯 If You Can't Patch

Disable file upload functionality entirely in Todoist
Implement strict content security policies (CSP) to block inline JavaScript execution

🔍 How to Verify

Check if Vulnerable:

Upload an SVG file containing <script>alert('XSS')</script> to Todoist and check if JavaScript executes when viewed

Check Version:

Check Todoist version in application settings or about page

Verify Fix Applied:

Test SVG uploads with embedded JavaScript to confirm they no longer execute

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads
Large number of file uploads from single user
Uploads with script tags in content

Network Indicators:

POST requests to /api/v1/uploads with SVG content
File uploads containing JavaScript patterns

SIEM Query:

source="todoist" AND (url="/api/v1/uploads" OR file_type="svg") AND content CONTAINS "<script>"

📊 Metadata

CVE ID: CVE-2025-63317

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (15.6th percentile)

Published: December 1, 2025

Last Updated: December 4, 2025

🔗 References

https://github.com/sefabasnak/Todoistv8896 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63317, you might also want to check these: