VYPR
← All advisories
Low severityNVD Advisory· Published Oct 1, 2025· Updated Oct 1, 2025

CVE-2025-56515

CVE-2025-56515

Description

File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tags and JavaScript event handlers (onmouseover) to be uploaded and stored. When rendered, these SVG files execute arbitrary JavaScript, enabling attackers to steal user sessions, cookies, and perform unauthorized actions in the context of users viewing affected profiles.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Fiora chat 1.0.0 has a stored XSS vulnerability via SVG avatar uploads with embedded iframes and event handlers, allowing session theft.

Vulnerability

Overview CVE-2025-56515 is a stored cross-site scripting (XSS) vulnerability in the Fiora chat application version 1.0.0. The vulnerability arises from insufficient validation of SVG file content during user avatar uploads. The application fails to sanitize SVG elements, allowing attackers to embed malicious tags containing iframes and JavaScript event handlers (e.g., onmouseover) [1][2].

Exploitation

An authenticated user can upload a crafted SVG file as their avatar. When other users view the avatar (e.g., on profile pages or chat interfaces), the embedded JavaScript executes in their browser context. The attack requires no additional user interaction beyond viewing the affected profile, as the payload triggers automatically upon rendering [2].

Impact

Successful exploitation allows attackers to steal session cookies, perform unauthorized actions on behalf of the victim, and redirect users to malicious sites. The vulnerability bypasses existing XSS protections in the application, leading to full account compromise [1][2].

Mitigation

The vendor has confirmed the vulnerability, and a fix is pending. Users should upgrade to a patched version once available. In the interim, administrators can implement content security policies or manually validate SVG uploads [2][3].

References
  1. NVD - CVE-2025-56515
  2. GitHub - Kov404/CVE-2025-56515: Cross-Site Scripting (XSS) Vulnerability in Fiora Chat Application
  3. GitHub - yinxin630/fiora: An interesting open source chat application. Developed with node.js, mongoDB, socket.io and react

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Fiora/chat applicationdescription
  • Fiora/Fiorallm-create
    Range: =1.0.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.