VYPR
← All advisories
Medium severity6.1OSV Advisory· Published Mar 25, 2025· Updated Apr 15, 2026

CVE-2025-30219

CVE-2025-30219

Description

RabbitMQ is a messaging and streaming broker. Versions prior to 4.0.3 are vulnerable to a sophisticated attack that could modify virtual host name on disk and then make it unrecoverable (with other on disk file modifications) can lead to arbitrary JavaScript code execution in the browsers of management UI users. When a virtual host on a RabbitMQ node fails to start, recent versions will display an error message (a notification) in the management UI. The error message includes virtual host name, which was not escaped prior to open source RabbitMQ 4.0.3 and Tanzu RabbitMQ 4.0.3, 3.13.8. An attack that both makes a virtual host fail to start and creates a new virtual host name with an XSS code snippet or changes the name of an existing virtual host on disk could trigger arbitrary JavaScript code execution in the management UI (the user's browser). Open source RabbitMQ 4.0.3 and Tanzu RabbitMQ 4.0.3 and 3.13.8 patch the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

RabbitMQ prior to 4.0.3 has an XSS vulnerability in management UI error messages due to unescaped virtual host names, allowing arbitrary JavaScript execution.

Vulnerability

Overview

RabbitMQ versions prior to 4.0.3 are vulnerable to a stored cross-site scripting (XSS) flaw in the management UI. When a virtual host fails to start, the error notification includes the virtual host name without proper escaping. An attacker who can modify the virtual host name on disk (e.g., by altering configuration files) and cause the virtual host to fail to start can inject arbitrary JavaScript code into the error message [1].

Exploitation

Prerequisites

Exploitation requires a sophisticated attack chain: the attacker must first gain the ability to modify virtual host names on disk (e.g., through file write access or other means) and then trigger a failure for that virtual host. The injected JavaScript executes in the browsers of management UI users who view the error notification. No authentication is needed to view the management UI if it is exposed, but the attacker needs prior access to modify on-disk data [1].

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the management UI. This could allow an attacker to perform actions on behalf of an authenticated administrator, steal session tokens, or deface the interface. The CVSS v3.1 base score is 6.1 (Medium), reflecting the need for prior access to modify files [1].

Mitigation

The vulnerability is patched in open source RabbitMQ 4.0.3 and Tanzu RabbitMQ 4.0.3 and 3.13.8. Users unable to upgrade can disable the management plugin and rely on Prometheus and Grafana for monitoring as a workaround [1].

References
  1. XSS Vulnerability in an Error Message in Management UI

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

14

Patches

1
95165215cb01
https://github.com/rabbitmq/rabbitmq-servervia osv
commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.