CVE-2025-64759
Published: 19 November 2025
Summary
CVE-2025-64759 is a high-severity Improper Input Validation (CWE-20) vulnerability in Homarr Homarr. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-64759 is a stored cross-site scripting (XSS) vulnerability in Homarr, an open-source dashboard application. Versions prior to 1.43.3 are affected due to improper handling of uploaded SVG files, which allows the execution of arbitrary JavaScript in a victim's browser when the malicious file is rendered. The issue is linked to CWE-20 (Improper Input Validation) and CWE-434 (Unrestricted Upload of File with Dangerous Type), earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N).
An authenticated attacker with high privileges can exploit this by uploading a malicious SVG file. If an administrator views a page that renders or redirects to the SVG, the stored XSS payload executes with minimal or no further user interaction, enabling the attacker to manipulate the application in the admin's context. This can be abused to add the attacker's account to the "credentials-admin" group, granting full administrative access to the Homarr instance.
The vulnerability has been patched in Homarr version 1.43.3. Official mitigation guidance is available in the Homarr security advisory (GHSA-wj62-c5gr-2x53) and the corresponding patch commit (aaa23f37321be1e110f722b36889b2fd3bea2059) on GitHub, recommending immediate upgrades for affected deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-198220
Vulnerability details
Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file.…
more
This could be abused to add an attacker's account to the "credentials-admin" group, giving them full administrative access, if a user logged in as an administrator was to view the page which renders or redirects to the SVG. This issue has been patched in version 1.43.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS via malicious SVG upload enables arbitrary JavaScript execution (T1059.007) in admin browser context, exploited for privilege escalation (T1068) by manipulating application to grant admin access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses CWE-20 improper input validation by requiring checks on uploaded SVG files to block malicious JavaScript content.
Mitigates CWE-434 unrestricted upload of dangerous file types by restricting uploads to safe formats or characteristics, preventing malicious SVGs.
Prevents stored XSS execution by filtering output when rendering or displaying potentially malicious SVG files in users' browsers.