CVE-2025-34282
published 2025-10-17CVE-2025-34282: ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload…
PriorityP268critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
1.66%
73.7th percentile
ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thingsboard | thingsboard | < 4.2.1 | 4.2.1 |
| thingsboard_inc | thingsboard | < 4.2.1 | 4.2.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for multipart file uploads of SVG files (MIME type image/svg+xml) to the ThingsBoard /api/image endpoint, especially from authenticated Tenant Admin sessions. ↗
- →Inspect SVG files uploaded to ThingsBoard for external URL references (e.g., <image href=...> or <use xlink:href=...> tags pointing to internal network addresses), which are the SSRF trigger mechanism. ↗
- →Flag requests to /api/image and /api/widgetType that include the X-Authorization Bearer token header combined with SVG content uploads — this matches the exploit's two-step attack chain. ↗
- ·Affected versions are ThingsBoard < 4.2.1; version 4.2.0 is confirmed vulnerable. Ensure patched version is deployed. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2025-10-17
Published