CVE-2025-70297
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Mealie 3.3.1 allows authenticated users to upload malicious SVG files that execute arbitrary JavaScript when viewed by other users. This affects all Mealie instances running the vulnerable version where users can upload recipe assets. Attackers can steal session cookies, perform actions as victims, or deface the application.
💻 Affected Systems
- Mealie
📦 What is this software?
Mealie by Mealie
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full control of the Mealie instance, pivot to internal systems, or deploy ransomware via malicious JavaScript payloads.
Likely Case
Authenticated attackers steal other users' session cookies to impersonate them, modify recipes, or access sensitive data within the application.
If Mitigated
With proper input validation and content security policies, malicious scripts would be blocked from executing, limiting impact to failed upload attempts.
🎯 Exploit Status
Exploitation requires authenticated access and victim interaction (viewing the malicious SVG). The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.2 or later
Vendor Advisory: https://github.com/mealie-recipes/mealie/issues/6319
Restart Required: No
Instructions:
1. Backup your Mealie instance and database. 2. Update to Mealie version 3.3.2 or later using your deployment method (Docker, manual, etc.). 3. Verify the update completed successfully. 4. Test SVG upload functionality.
🔧 Temporary Workarounds
Disable SVG uploads
allConfigure Mealie to reject SVG file uploads at the application or web server level
Configure nginx/apache to block SVG uploads or modify Mealie's upload validation
Implement Content Security Policy
allAdd CSP headers to prevent inline script execution from uploaded files
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server headers
🧯 If You Can't Patch
- Restrict user permissions to prevent untrusted users from uploading recipe assets
- Implement web application firewall rules to detect and block malicious SVG content
🔍 How to Verify
Check if Vulnerable:
Check if running Mealie version 3.3.1. Attempt to upload an SVG file containing JavaScript and verify if it executes when viewed.Check Version:
docker exec mealie python -c "import mealie; print(mealie.__version__)" or check web interface footerVerify Fix Applied:
After updating, attempt to upload a test SVG with JavaScript payload and verify it does not execute when viewed.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads
- Multiple failed upload attempts
- Large SVG files with script tags
Network Indicators:
- HTTP requests for SVG files with suspicious parameters
- Outbound connections to external domains from SVG rendering
SIEM Query:
source="mealie-logs" AND (file_extension="svg" OR mime_type="image/svg+xml") AND (file_size>100000 OR contains(file_content,"script"))