CVE-2025-63419 – This CVE describes a Cross-Site Scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2025-63419?

CVE-2025-63419 has a CVSS score of 6.1 (MEDIUM). This CVE describes a Cross-Site Scripting (XSS) vulnerability in CrushFTP's file sharing feature where malicious filenames are reflected in email bodies without proper sanitization. Attackers can inject arbitrary HTML/JavaScript that executes when victims view the email, potentially stealing credentials or session cookies. This affects CrushFTP administrators and users who receive file sharing emails.

📋 TL;DR

This CVE describes a Cross-Site Scripting (XSS) vulnerability in CrushFTP's file sharing feature where malicious filenames are reflected in email bodies without proper sanitization. Attackers can inject arbitrary HTML/JavaScript that executes when victims view the email, potentially stealing credentials or session cookies. This affects CrushFTP administrators and users who receive file sharing emails.

💻 Affected Systems

Products:

CrushFTP

Versions: 11.3.6_48 and potentially earlier versions

Operating Systems: All platforms running CrushFTP

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default file sharing feature configuration.

📦 What is this software?

Crushftp by Crushftp

View all CVEs affecting Crushftp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of the CrushFTP server, access all files, and pivot to internal networks.

🟠

Likely Case

Attackers steal user session cookies, access shared files, and perform actions as authenticated users.

🟢

If Mitigated

Limited impact with proper email client security settings and user awareness about suspicious emails.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (viewing malicious email) but payload delivery is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.3.6_49 or later

Vendor Advisory: https://www.crushftp.com/

Restart Required: Yes

Instructions:

1. Download latest CrushFTP version from vendor website
2. Backup current installation
3. Stop CrushFTP service
4. Install updated version
5. Restart CrushFTP service
6. Verify version is 11.3.6_49 or higher

🔧 Temporary Workarounds

Disable file sharing emails

all

Temporarily disable the file sharing email notification feature

Edit CrushFTP server settings to disable 'Send email notifications' for file shares

Implement WAF rules

all

Add XSS protection rules to web application firewall

Add rule to block HTML/JavaScript in filename parameters

🧯 If You Can't Patch

Restrict file sharing to trusted users only
Educate users to view emails in plain text mode

🔍 How to Verify

Check if Vulnerable:

Check if CrushFTP version is 11.3.6_48 or earlier and file sharing feature is enabled

Check Version:

Check CrushFTP admin interface or server logs for version information

Verify Fix Applied:

Verify version is 11.3.6_49 or later and test file sharing with malicious filename payloads

📡 Detection & Monitoring

Log Indicators:

Unusual filenames containing script tags in file sharing logs
Multiple failed file share attempts with special characters

Network Indicators:

HTTP requests with script tags in filename parameters
Unusual email generation patterns

SIEM Query:

source="crushftp.log" AND (filename CONTAINS "<script>" OR filename CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-63419

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (12.6th percentile)

Published: November 12, 2025

Last Updated: December 31, 2025

🔗 References

https://gist.github.com/MMAKINGDOM/39ded58b1e6d2d19366e76e0d5b1c851 Exploit,Third Party Advisory
https://github.com/MMAKINGDOM/CVE-2025-63419/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63419, you might also want to check these: