Unrated severityNVD Advisory· Published Oct 17, 2025· Updated Nov 19, 2025

ThingsBoard < v4.2.1 SVG Image SSRF

CVE-2025-34282

Description

ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.

Affected products

Thingsboard/Thingsboardv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/thingsboard/thingsboard/pull/13927mitrepatch
github.com/thingsboard/thingsboard/releases/tag/v4.2.1mitrerelease-notespatch
www.vulncheck.com/advisories/thingsboard-svg-image-ssrfmitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000