CVE-2025-64759
Published: 19 November 2025
Summary
CVE-2025-64759 is a high-severity Improper Input Validation (CWE-20) vulnerability in Homarr Homarr. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses CWE-20 improper input validation by requiring checks on uploaded SVG files to block malicious JavaScript content.
Mitigates CWE-434 unrestricted upload of dangerous file types by restricting uploads to safe formats or characteristics, preventing malicious SVGs.
Prevents stored XSS execution by filtering output when rendering or displaying potentially malicious SVG files in users' browsers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS via malicious SVG upload enables arbitrary JavaScript execution (T1059.007) in admin browser context, exploited for privilege escalation (T1068) by manipulating application to grant admin access.
NVD Description
Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file.…
more
This could be abused to add an attacker's account to the "credentials-admin" group, giving them full administrative access, if a user logged in as an administrator was to view the page which renders or redirects to the SVG. This issue has been patched in version 1.43.3.
Deeper analysisAI
CVE-2025-64759 is a stored cross-site scripting (XSS) vulnerability in Homarr, an open-source dashboard application. Versions prior to 1.43.3 are affected due to improper handling of uploaded SVG files, which allows the execution of arbitrary JavaScript in a victim's browser when the malicious file is rendered. The issue is linked to CWE-20 (Improper Input Validation) and CWE-434 (Unrestricted Upload of File with Dangerous Type), earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N).
An authenticated attacker with high privileges can exploit this by uploading a malicious SVG file. If an administrator views a page that renders or redirects to the SVG, the stored XSS payload executes with minimal or no further user interaction, enabling the attacker to manipulate the application in the admin's context. This can be abused to add the attacker's account to the "credentials-admin" group, granting full administrative access to the Homarr instance.
The vulnerability has been patched in Homarr version 1.43.3. Official mitigation guidance is available in the Homarr security advisory (GHSA-wj62-c5gr-2x53) and the corresponding patch commit (aaa23f37321be1e110f722b36889b2fd3bea2059) on GitHub, recommending immediate upgrades for affected deployments.
Details
- CWE(s)