CVE-2025-23213
Published: 28 January 2025
Summary
CVE-2025-23213 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Tandoor Recipes. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 46.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely patching to version 1.5.28 directly remediates the unrestricted file upload vulnerability allowing malicious HTML and SVG files.
Validates file uploads to detect and reject arbitrary dangerous file types like HTML and SVG containing XSS payloads.
Restricts file upload inputs by MIME type and content to prohibit dangerous formats exploitable for XSS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in web app file upload enables XSS for privilege escalation (T1068) via changed scope, credential access (T1212), and stealing web session cookies (T1539) through malicious HTML/SVG payloads.
NVD Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The file upload feature allows to upload arbitrary files, including html and svg. Both can contain malicious content (XSS Payloads). This vulnerability is fixed in 1.5.28.
Deeper analysisAI
CVE-2025-23213 affects Tandoor Recipes, a self-hosted web application for managing recipes, planning meals, and building shopping lists. The vulnerability resides in the file upload feature, which permits the upload of arbitrary files, including HTML and SVG formats. These file types can embed malicious content such as XSS payloads, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue has a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) and was fixed in version 1.5.28.
An authenticated user with low privileges can exploit this vulnerability over the network with low complexity by uploading a malicious HTML or SVG file containing XSS payloads. Exploitation requires user interaction, such as a victim viewing or interacting with the uploaded file. Successful attacks leverage the changed scope to achieve high confidentiality and integrity impacts, potentially allowing attackers to steal sensitive data like session cookies, perform actions on behalf of the victim, or escalate control within the application.
The Tandoor Recipes security advisory (GHSA-56jp-j3x5-hh2w) and the fixing commit (3e37d11c6a3841a00eb27670d1d003f1a713e1cf) confirm the vulnerability's resolution in version 1.5.28. Security practitioners should urge users to update to this version or later to mitigate the risk, and review file upload configurations to restrict dangerous MIME types like HTML and SVG in affected deployments.
Details
- CWE(s)