Moderate severityOSV Advisory· Published Nov 27, 2025· Updated Dec 16, 2025

CVE-2025-3261

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.thingsboard:applicationMaven	< 4.2.1	4.2.1

Affected products

Thingsboard/ThingsboardOSV
Range: v1.0, v1.2.1, v1.3.1, …

Patches

b2ae6f92d122

added Content-Security-Policy header to download image api to prevent malicious code injection

https://github.com/thingsboard/thingsboarddashevchenkoAug 27, 2025via ghsa

commit

1 file changed · +1 −0

application/src/main/java/org/thingsboard/server/controller/ImageController.java+1 −0 modified

@@ -300,6 +300,7 @@ private ResponseEntity<ByteArrayResource> downloadIfChanged(ImageCacheKey cacheK
         tbImageService.putETag(cacheKey, descriptor.getEtag());
         var result = ResponseEntity.ok()
                 .header("Content-Type", descriptor.getMediaType())
+                .header("Content-Security-Policy", "default-src 'none'")
                 .eTag(descriptor.getEtag());
         if (!cacheKey.isPublic()) {
             result

Vulnerability mechanics

Not enough inputs (no patches or CWE) to synthesize mechanics for this CVE.

References

github.com/advisories/GHSA-5p82-2q3r-wj3mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-3261ghsaADVISORY
advisory.checkmarx.net/advisory/CVE-2025-3261ghsaWEB
github.com/thingsboard/thingsboard/commit/b2ae6f92d12206ea185a2e882945a6b69234bf03ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000