CVE-2025-64027

Vulnerability

Overview

CVE-2025-64027 describes a reflected cross-site scripting (XSS) vulnerability in Snipe-IT v8.3.4 (build 20218) within the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value is rendered as raw HTML in the admin interface without sanitization [1][3]. The root cause is that the server accepts user-supplied input for the progress_message parameter in the POST /livewire/update` POST request and reflects it back to the client without proper validation or encoding [1][3].

Exploitation

An attacker can exploit this by intercepting and modifying the POST /livewire/update request, injecting arbitrary HTML or JavaScript into the progress_message field. This requires the attacker to be in a position to perform a man-in-the-middle (MitM) attack on the authenticated admin's session, or to trick the admin into uploading a crafted CSV file while the attacker controls the network [1][3]. The injected payload is then reflected back to the admin's browser executes in the context of the Snipe-IT admin interface [3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript with admin privileges. This could lead to theft of session cookies, modification of assets, users, or other sensitive data, and installation of browser-based payloads [3]. The vulnerability is considered to have high impact on confidentiality and integrity, with low impact on availability [3].

Mitigation

As of the publication date, no patch has been released. The vendor disputes the finding, arguing that the attack only demonstrates that an authenticated user can choose to conduct a man-in-the-middle attack against himself [1]. Users should ensure that the CSV Import page is accessed only over trusted networks and consider implementing additional network-level protections such as HTTPS with HSTS to reduce the risk of MitM attacks.