CVE-2025-27500
Published: 03 March 2025
Summary
CVE-2025-27500 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Openziti Openziti. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 limits permitted actions without identification or authentication, directly preventing unauthenticated access to the /api/upload endpoint exploited in this CVE.
SI-10 requires validation of information inputs like file uploads to ensure consistency with expected content, blocking malicious XSS payloads from being stored.
SI-15 mandates filtering of information output prior to transmission, preventing execution of stored XSS payloads when uploaded files are accessed via URL.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated file upload to public-facing admin endpoint (T1190: Exploit Public-Facing Application) enables storage of malicious files leading to stored XSS, facilitating drive-by compromise (T1189) when users view the content.
NVD Description
OpenZiti is a free and open source project focused on bringing zero trust to any application. An endpoint(/api/upload) on the admin panel can be accessed without any form of authentication. This endpoint accepts an HTTP POST to upload a file…
more
which is then stored on the node and is available via URL. This can lead to a stored cross site scripting attack if the file uploaded contains malicious code and is then accessed and executed within the context of the user's browser. This function is no longer necessary as the ziti-console moves from a node server application to a single page application, and has been disabled. The vulnerability is fixed in 3.7.1.
Deeper analysisAI
CVE-2025-27500 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the OpenZiti project, specifically the ziti-console admin panel. The issue stems from an unauthenticated endpoint at /api/upload that accepts HTTP POST requests to upload files, which are then stored on the node and made accessible via a URL. With a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), it enables attackers to upload files containing malicious code that executes in the context of a user's browser when the URL is accessed.
Any unauthenticated attacker with network access can exploit this vulnerability by sending a POST request with a malicious file to the /api/upload endpoint. Once uploaded, the file becomes publicly accessible via a generated URL, allowing the stored XSS payload to execute when an administrative user or other authorized browser visits that URL. This can lead to high confidentiality impacts, such as stealing session cookies or sensitive data, and limited integrity impacts like defacing content within the victim's browser session.
The GitHub security advisory (GHSA-frxm-vm48-5qf2) confirms the vulnerability has been fixed in OpenZiti version 3.7.1 by disabling the /api/upload endpoint entirely, as it is no longer required following the ziti-console's transition from a Node.js server application to a single-page application. Security practitioners should upgrade to version 3.7.1 or later to mitigate this issue.
Details
- CWE(s)