CVE-2025-56514

Vulnerability

Overview CVE-2025-56514 is a stored Cross-Site Scripting (XSS) vulnerability in Fiora chat application version 1.0.0. The root cause is the lack of sanitization of SVG files uploaded via the group avatar change functionality. When a malicious SVG containing embedded JavaScript is uploadedhol, it is stored on the server and later served to other users without proper filtering [2].

Exploitation

An attacker must be authenticated and have creator privileges in a target group. They can upload a crafted SVG file (e.g., using a ` element with an that executes JavaScript on mouseover) through the "Change Group Avatar" interface. The SVG is stored in the /GroupAvatar/ directory. When the Avatar.tsx` component renders this avatar in another user's browser, the embedded script executes, enabling XSS [2].

Impact

Successful exploitation allows arbitrary JavaScript execution in the context of the victim's browser. This can lead to session hijacking, theft of sensitive data (e.g., cookies, tokens), or further attacks within the chat application [2].

Mitigation

Status As of the publication date, no official patch has been released by the vendor. The official Fiora repository [3] does not mention a fix. Mitigation requires implementing strict SVG sanitization or restricting avatar uploads to non-SVG image formats. The vulnerability is publicly documented with a proof-of-concept [2].