CVE-2025-41085

Vulnerability

Overview

CVE-2025-41085 is a stored Cross-Site Scripting (XSS) vulnerability in the Apidog web platform, version 2.7.15. The root cause is improper sanitization of SVG image files during avatar uploads. An attacker can craft an SVG file containing embedded JavaScript and submit it via a POST request to the /api/v1/user-avatar endpoint. The malicious file is then stored on the server without validation, making it available to other users [1].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have a valid user account on the Apidog instance, as the upload endpoint requires authentication. The attack is performed over the network with low complexity and does not require advanced privileges beyond a standard user account and relies on user interaction (e.g., viewing the attacker's profile or a page that loads the avatar). The CVSS v4.0 base score is 5.1 (Medium) with the vector AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N [1].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of any user who accesses the compromised resource (e.g., viewing the attacker's avatar). This can lead to session hijacking, defacement, or theft of sensitive information displayed in the user's browser. The scope is changed because the injected script can affect the confidentiality and integrity of the web application's security context [1].

Mitigation

Status

As of the publication date (2026-02-04, no official patch or solution has been released by Apidog. Users are advised to restrict avatar uploads to non-SVG formats or implement server-side sanitization of SVG files as a workaround until a vendor fix becomes available [1].