CVE-2025-64759
📋 TL;DR
This stored XSS vulnerability in Homarr allows attackers to execute arbitrary JavaScript in users' browsers by uploading a malicious SVG file, potentially granting administrative access if an admin views the file. It affects all Homarr instances prior to version 1.43.3. Users with administrative privileges are at highest risk.
💻 Affected Systems
- Homarr
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full administrative control over the Homarr dashboard, allowing them to modify settings, access sensitive data, or compromise the underlying system.
Likely Case
Attackers exploit the vulnerability to steal session cookies, perform actions as logged-in users, or escalate privileges to admin level.
If Mitigated
With proper input validation and patching, the risk is eliminated, preventing any malicious SVG execution.
🎯 Exploit Status
Exploitation requires an attacker to upload a malicious SVG and trick an admin into viewing it, but the technical steps are straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.43.3
Vendor Advisory: https://github.com/homarr-labs/homarr/security/advisories/GHSA-wj62-c5gr-2x53
Restart Required: Yes
Instructions:
1. Backup your Homarr configuration. 2. Update Homarr to version 1.43.3 or later using your package manager or by pulling the latest Docker image. 3. Restart the Homarr service.
🔧 Temporary Workarounds
Disable SVG uploads
allTemporarily block SVG file uploads in Homarr to prevent exploitation.
Modify Homarr configuration to restrict file uploads to non-SVG formats; specific commands depend on deployment method.
🧯 If You Can't Patch
- Restrict access to Homarr to trusted users only and monitor for unusual SVG uploads.
- Implement a web application firewall (WAF) to block malicious SVG payloads.
🔍 How to Verify
Check if Vulnerable:
Check the Homarr version; if it is below 1.43.3, it is vulnerable.Check Version:
docker exec homarr-container cat /app/package.json | grep version (adjust for your setup)Verify Fix Applied:
Confirm the Homarr version is 1.43.3 or higher and test that SVG uploads no longer execute JavaScript.📡 Detection & Monitoring
Log Indicators:
- Log entries showing SVG file uploads, especially with suspicious content or from untrusted sources.
Network Indicators:
- Unusual HTTP requests to upload SVG files or unexpected redirects to SVG resources.
SIEM Query:
source="homarr_logs" AND (file_extension="svg" OR file_type="image/svg+xml")