Login Sign Up

CVE-2025-64711

3.9 LOW
Cross-Site Scripting

📋 TL;DR

This is a self-XSS vulnerability in PrivateBin where dragging a file with HTML in its filename causes JavaScript execution in the user's own session. It affects macOS/Linux users with file upload enabled who can be tricked into attaching a maliciously named file. Attackers can steal plaintext data or encryption keys before encryption occurs.

💻 Affected Systems

Products:
  • PrivateBin
Versions: 1.7.7 to 2.0.2
Operating Systems: macOS, Linux
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if file upload is enabled; Windows users are not affected due to filename character handling differences.

📦 What is this software?

Privatebin by Privatebin

View all CVEs affecting Privatebin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals plaintext pastes, encryption keys, or manipulates UI to exfiltrate sensitive data before encryption, defeating zero-knowledge guarantees for that session.

🟠

Likely Case

Limited impact due to requiring user interaction with specific file and OS conditions; most likely used for phishing or UI manipulation if CSP is disabled.

🟢

If Mitigated

With CSP enabled and proper user awareness, impact is minimal as HTML injection is blocked and exploitation requires significant user interaction.

🌐 Internet-Facing: LOW
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires convincing user to create/download malicious file and attach it to PrivateBin; payload limited to filename length.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.3

Vendor Advisory: https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-r9x7-7ggj-fx9f

Restart Required: No

Instructions:

1. Backup your PrivateBin instance. 2. Update to version 2.0.3 or later via git pull or package manager. 3. Verify the fix by checking version.

🔧 Temporary Workarounds

Disable file upload

all

Prevents exploitation by disabling the vulnerable drag-and-drop file attachment feature.

Edit configuration to set 'fileupload' to false in PrivateBin settings

Enable Content Security Policy

all

CSP can block HTML injection attacks even if vulnerability is triggered.

Ensure CSP headers are properly configured in web server

🧯 If You Can't Patch

  • Disable file upload functionality in PrivateBin configuration
  • Educate users not to drag files from untrusted sources into PrivateBin

🔍 How to Verify

Check if Vulnerable:

Check if PrivateBin version is between 1.7.7 and 2.0.2 and file upload is enabled.

Check Version:

Check PrivateBin version in web interface or read VERSION file in installation directory.

Verify Fix Applied:

Confirm version is 2.0.3 or later and check commit f9550e5 is present.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file attachment attempts with special characters in filenames

Network Indicators:

  • None specific to this vulnerability

SIEM Query:

Search for file upload events with filenames containing HTML tags or JavaScript patterns.

📊 Metadata

CVE ID: CVE-2025-64711
CVSS v3 Score: 3.9 (LOW)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.02% exploit probability (4.9th percentile)
Published: November 13, 2025
Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64711, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)