CVE-2025-47929

Vulnerability

Overview The DumbDrop file upload application prior to commit db27b25 contains a DOM-based cross-site scripting (XSS) vulnerability. The root cause is the use of innerHTML to display file names without sanitization. When a file is uploaded, the application sets the content of progress labels and folder/file item elements using innerHTML, directly inserting the file name (or its relative path) into the DOM [1].

Exploitation

Details An attacker can exploit this by crafting a file with a malicious name, such as .csv. When a victim uploads such a file through the interface, the unsanitized file name is interpreted as HTML and executes the embedded JavaScript. The attack requires the victim to drag and drop or select the malicious file in the DumbDrop uploader, but no additional authentication or network position is needed beyond normal application usage [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This could lead to actions including stealing session cookies, manipulating page content, or performing actions on behalf of the user. The vulnerability is classified as low severity (CVSS score not provided) [2].

Mitigation

The vulnerability is fixed in commit db27b25372eb9071e63583d8faed2111a2b79f1b, which introduces an escapeHtml() helper function that sanitizes output by escaping HTML metacharacters (&, <, >, ", '). The fix replaces all innerHTML assignments with textContent (or uses escapeHtml() in template literals) to prevent script injection [1]. Users should update their DumbDrop instance to the latest commit.