CVE-2025-51489
Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version < 3.12.5, allowing remote attackers to upload a malicious SVG file when creating/updating an Article and correctly execute arbitrary JavaScript when the file link is opened.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MoonShine < 3.12.5 allows Stored XSS via malicious SVG upload in Article thumbnails, executing arbitrary JavaScript when the file link is opened.
Vulnerability
Overview
CVE-2025-51489 is a Stored Cross-Site Scripting (XSS) vulnerability in MoonShine versions prior to 3.12.5. The root cause is a lack of proper file type validation for SVG uploads used as Article thumbnails. An attacker with the ability to create or update Articles can upload a crafted SVG containing embedded JavaScript, which is then stored on the server [1][2].
Attack
Vector and Exploitation
To exploit this vulnerability, a remote authenticated user with sufficient privileges (e.g., an admin role that can manage Articles) uploads a malicious SVG file when setting the Thumbnail for an Article. The SVG payload can include event handlers such as onload, causing arbitrary JavaScript execution when another user views the Article and the browser renders the SVG [2]. The attack requires no special network position beyond access to the MoonShine admin panel.
Impact
Successful exploitation leads to stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of any victim who views the affected Article. This can result in session hijacking, data theft, or further admin-level actions. The CVSS v3.1 score is 4.5 (Medium), with a vector of AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N, indicating high confidentiality impact but requiring high privileges and user interaction [2].
Mitigation
The vulnerability is fixed in MoonShine version 3.12.5 and later. The commit [4] demonstrates the addition of MIME-type restrictions for image uploads, limiting allowed file types to jpeg,jpg,png,gif. Users are strongly advised to update to the latest version. If upgrading is not immediately possible, administrators should restrict upload capabilities to trusted users and consider adding server-side validation for uploaded SVG files [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moonshine/moonshinePackagist | < 3.12.5 | 3.12.5 |
Affected products
2- MoonShine/MoonShinedescription
Patches
17102fb113627fix: image validation
2 files changed · +2 −1
src/Laravel/src/Http/Requests/ProfileFormRequest.php+1 −1 modified@@ -33,7 +33,7 @@ public function rules(): array moonshineConfig()->getUserField('username') )->ignore(MoonShineAuth::getGuard()->id()), ], - $avatar => blank($avatar) ? null : ['image'], + $avatar => blank($avatar) ? null : ['image', 'mimes:jpeg,jpg,png,gif'], $password => blank($password) ? null : 'sometimes|nullable|min:6|required_with:password_repeat|same:password_repeat', ]); }
src/Laravel/src/Resources/MoonShineUserResource.php+1 −0 modified@@ -155,6 +155,7 @@ protected function rules($item): array 'email', Rule::unique('moonshine_users')->ignoreModel($item), ], + 'avatar' => ['image', 'mimes:jpeg,jpg,png,gif'], 'password' => $item->exists ? 'sometimes|nullable|min:6|required_with:password_repeat|same:password_repeat' : 'required|min:6|required_with:password_repeat|same:password_repeat',
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.