CVE-2025-66403 – FileRise versions before 2.2.3 have a stored XS... (How to Fix)

Q: What is the severity of CVE-2025-66403?

CVE-2025-66403 has a CVSS score of 4.6 (MEDIUM). FileRise versions before 2.2.3 have a stored XSS vulnerability where malicious SVG files containing JavaScript can be uploaded and executed when viewed. This allows attackers to perform actions within the application context, potentially stealing session cookies or performing unauthorized actions. All users running vulnerable versions are affected.

📋 TL;DR

FileRise versions before 2.2.3 have a stored XSS vulnerability where malicious SVG files containing JavaScript can be uploaded and executed when viewed. This allows attackers to perform actions within the application context, potentially stealing session cookies or performing unauthorized actions. All users running vulnerable versions are affected.

💻 Affected Systems

Products:

FileRise

Versions: All versions prior to 2.2.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any installation with SVG upload functionality enabled is vulnerable.

📦 What is this software?

Filerise by Filerise

View all CVEs affecting Filerise →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full control of victim's session, steals credentials, performs administrative actions, or installs malware on client systems.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized file operations within the application.

🟢

If Mitigated

Limited impact with proper content security policies and user awareness, but still potential for limited session compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires file upload access and victim to view the malicious SVG.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.3

Vendor Advisory: https://github.com/error311/FileRise/security/advisories/GHSA-qrcv-vjvf-fr29

Restart Required: Yes

Instructions:

1. Backup your FileRise installation and data. 2. Download version 2.2.3 from the official repository. 3. Replace existing files with new version. 4. Restart the web server/service.

🔧 Temporary Workarounds

Disable SVG uploads

all

Configure FileRise to reject SVG file uploads entirely

Edit FileRise configuration to add SVG to blocked file types

Implement Content Security Policy

all

Add CSP headers to prevent script execution from uploaded files

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server headers

🧯 If You Can't Patch

Implement strict file upload validation to sanitize SVG content
Isolate FileRise instance and restrict access to trusted users only

🔍 How to Verify

Check if Vulnerable:

Check if FileRise version is below 2.2.3 and SVG uploads are allowed without sanitization.

Check Version:

Check FileRise admin panel or version file in installation directory

Verify Fix Applied:

Test uploading an SVG with script content - it should be rejected or sanitized in version 2.2.3.

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads
Multiple failed upload attempts
Large SVG files with encoded content

Network Indicators:

SVG uploads containing script tags or JavaScript
Unusual file type patterns in upload traffic

SIEM Query:

source="filerise" AND (file_type="svg" OR file_extension="svg") AND size>10000

📊 Metadata

CVE ID: CVE-2025-66403

CVSS v3 Score: 4.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (12.1th percentile)

Published: December 1, 2025

Last Updated: January 7, 2026

🔗 References

https://github.com/error311/FileRise/commit/f2ce43f18f0444f8f63f7c33758d1837dd5ba91e Patch
https://github.com/error311/FileRise/security/advisories/GHSA-qrcv-vjvf-fr29 Vendor Advisory,Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66403, you might also want to check these: