cbcvebase.
CVE-2025-34282
published 2025-10-17

CVE-2025-34282: ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload…

PriorityP268critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
1.66%
73.7th percentile
ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.

Affected

2 ranges
VendorProductVersion rangeFixed in
thingsboardthingsboard< 4.2.14.2.1
thingsboard_incthingsboard< 4.2.14.2.1

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://localhost:8080/api/image
urlhttp://localhost:8080/api/widgetType
path/api/image
path/api/widgetType
path/resources/images
  • Monitor for multipart file uploads of SVG files (MIME type image/svg+xml) to the ThingsBoard /api/image endpoint, especially from authenticated Tenant Admin sessions.
  • Inspect SVG files uploaded to ThingsBoard for external URL references (e.g., <image href=...> or <use xlink:href=...> tags pointing to internal network addresses), which are the SSRF trigger mechanism.
  • Flag requests to /api/image and /api/widgetType that include the X-Authorization Bearer token header combined with SVG content uploads — this matches the exploit's two-step attack chain.
  • ·Affected versions are ThingsBoard < 4.2.1; version 4.2.0 is confirmed vulnerable. Ensure patched version is deployed.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.