CVE-2025-65027
📋 TL;DR
RomM (ROM Manager) versions before 4.4.1 contain multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML files. When accessed, these files execute JavaScript in victims' browsers, leading to stored Cross-Site Scripting (XSS). Combined with a CSRF misconfiguration, this can enable full administrative account takeover, including creating rogue admin accounts and escalating attacker privileges. All RomM instances running vulnerable versions are affected.
💻 Affected Systems
- RomM (ROM Manager)
📦 What is this software?
Romm by Romm.app
Romm by Romm.app
⚠️ Risk & Real-World Impact
Worst Case
Full administrative account takeover allowing attacker to create rogue admin accounts, escalate privileges, modify configurations, access sensitive data, and potentially compromise the entire system.
Likely Case
Stored XSS leading to session hijacking, credential theft, and privilege escalation for authenticated attackers.
If Mitigated
Limited to authenticated user attacks with proper input validation and file type restrictions in place.
🎯 Exploit Status
Exploitation requires authenticated access but uses simple file upload techniques combined with CSRF.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.1 or 4.4.1-beta.2
Vendor Advisory: https://github.com/rommapp/romm/security/advisories/GHSA-v3c6-w996-f7hx
Restart Required: Yes
Instructions:
1. Backup your current RomM installation and database. 2. Update to version 4.4.1 or later using your deployment method (Docker, manual, etc.). 3. Restart the RomM service. 4. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Restrict file upload types
allConfigure web server or application to block SVG and HTML file uploads
Implement Content Security Policy
allAdd CSP headers to prevent execution of inline JavaScript
Add 'Content-Security-Policy: script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Disable file upload functionality entirely in RomM configuration
- Implement strict authentication controls and monitor for suspicious file upload activities
🔍 How to Verify
Check if Vulnerable:
Check RomM version in web interface or configuration files. If version is below 4.4.1, system is vulnerable.Check Version:
Check web interface or docker inspect for version informationVerify Fix Applied:
After updating, verify version shows 4.4.1 or higher and test that SVG/HTML file uploads are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with SVG/HTML extensions
- Multiple failed authentication attempts followed by successful login
- Administrative account creation or privilege changes
Network Indicators:
- POST requests to file upload endpoints with SVG/HTML content
- Requests to uploaded files with unusual parameters
SIEM Query:
source="romm" AND (file_extension="svg" OR file_extension="html") AND action="upload"