CVE-2025-64027 – Snipe-IT v8.3.4 contains a reflected XSS vulner... (How to Fix)

📋 TL;DR

Snipe-IT v8.3.4 contains a reflected XSS vulnerability in the CSV import workflow where invalid file uploads return unsanitized HTML in progress messages. An authenticated attacker can inject malicious JavaScript that executes in admin browsers when viewing import pages. Only affects authenticated users with admin access to the CSV import functionality.

💻 Affected Systems

Products:

Snipe-IT

Versions: v8.3.4 (build 20218)

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated admin access to CSV import functionality. Vulnerability disputed by supplier as requiring self-MITM attack.

📦 What is this software?

Snipe It by Snipeitapp

View all CVEs affecting Snipe It →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Admin account compromise leading to full system takeover, data theft, or ransomware deployment through session hijacking or credential theft.

🟠

Likely Case

Limited privilege escalation within the application, session hijacking of admin users, or defacement of admin interface.

🟢

If Mitigated

No impact if proper input validation and output encoding are implemented, or if admin users don't access maliciously crafted import pages.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires authenticated admin access and ability to intercept/modify POST requests to /livewire/update endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check GitHub repository for security updates
2. Apply any available patches for Snipe-IT v8.3.4
3. Verify input validation is implemented for progress_message parameter

🔧 Temporary Workarounds

Input Validation Implementation

all

Add server-side validation and HTML encoding for progress_message parameter in CSV import workflow

Modify Snipe-IT source code to sanitize progress_message input using htmlspecialchars() or equivalent

Content Security Policy

all

Implement strict CSP headers to prevent script execution from untrusted sources

Add Content-Security-Policy header with script-src 'self' directive

🧯 If You Can't Patch

Restrict admin access to CSV import functionality to trusted users only
Implement web application firewall rules to block malicious POST requests to /livewire/update

🔍 How to Verify

Check if Vulnerable:

Test CSV import with malicious payload in progress_message parameter and check if HTML/JS executes unsanitized

Check Version:

Check Snipe-IT version in admin dashboard or via application configuration

Verify Fix Applied:

Verify progress_message parameter is properly HTML-encoded in server responses

📡 Detection & Monitoring

Log Indicators:

POST requests to /livewire/update with suspicious progress_message content
CSV import failures with unusual error messages

Network Indicators:

Unusual POST payloads to /livewire/update endpoint
Admin session tokens being sent to external domains

SIEM Query:

source="web_logs" AND uri_path="/livewire/update" AND (progress_message CONTAINS "<script>" OR progress_message CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-64027

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.02% exploit probability (3.3th percentile)

Published: November 20, 2025

Last Updated: November 26, 2025

🔗 References

https://github.com/cybercrewinc/CVE-2025-64027/ Exploit,Third Party Advisory
https://github.com/grokability/snipe-it Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64027, you might also want to check these: