CVE-2025-64176
📋 TL;DR
ThinkDashboard versions 0.6.7 and below contain an arbitrary file upload vulnerability in the backup import feature. Attackers can bypass client-side file validation to upload malicious files to the /data directory, potentially leading to stored cross-site scripting (XSS) attacks or malware distribution. This affects all self-hosted ThinkDashboard instances running vulnerable versions.
💻 Affected Systems
- ThinkDashboard
📦 What is this software?
Thinkdashboard by Matiasdesuu
⚠️ Risk & Real-World Impact
Worst Case
An attacker uploads malicious JavaScript files that execute in users' browsers, leading to account takeover, credential theft, or malware distribution to all dashboard users.
Likely Case
Stored XSS payloads that steal session cookies or perform unauthorized actions on behalf of authenticated users.
If Mitigated
If proper input validation and file type restrictions are implemented, the attack surface is limited to file storage without execution.
🎯 Exploit Status
Exploitation requires access to the backup import feature, which typically requires authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.6.8
Vendor Advisory: https://github.com/MatiasDesuu/ThinkDashboard/security/advisories/GHSA-jvmw-hg62-jr47
Restart Required: Yes
Instructions:
1. Stop the ThinkDashboard service. 2. Update to version 0.6.8 or later. 3. Restart the service. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Disable Backup Import
allTemporarily disable the backup import functionality until patching is possible.
Modify configuration to remove or disable backup import endpoints
File Upload Restrictions
allImplement server-side file type validation and restrict uploads to specific directories.
Add server-side validation for .zip file contents before extraction
🧯 If You Can't Patch
- Implement strict WAF rules to block malicious file uploads
- Monitor /data directory for unauthorized file changes
🔍 How to Verify
Check if Vulnerable:
Check if ThinkDashboard version is 0.6.7 or below and backup import feature is enabled.Check Version:
Check the application version in the dashboard interface or configuration files.Verify Fix Applied:
Verify version is 0.6.8 or later and test backup import with malicious files to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /data directory
- Multiple failed backup import attempts
- Large or unexpected .zip file uploads
Network Indicators:
- POST requests to backup import endpoints with unusual file types
- Uploads containing JavaScript or executable files
SIEM Query:
source="thinkdashboard" AND (uri_path="/backup/import" OR method="POST") AND file_extension!="zip"