Identified a Stored Cross-Site Scripting (XSS) vulnerability in CKFinder v1.4.3 via malicious SVG file upload leading to script execution upon file preview.# 📂 CKFinder 1.4.3 – Stored Cross-Site Scripting (XSS) via Malicious SVG Upload
**CVE ID:** CVE-2025-63830
---
## 🧭 Overview
A stored Cross-Site Scripting (XSS) vulnerability was identified in **CKFinder v1.4.3**.
The issue resides in the **file upload** functionality, which fails to properly sanitize SVG files containing active content.
As a result, an attacker can execute arbitrary JavaScript code in the context of the victim’s browser when the uploaded file is viewed or previewed.
---
## ⚙️ Details
- **Finding Name**: Stored Cross-Site Scripting (XSS) via Malicious SVG Upload
- **Severity**: High
- **CVE ID**: CVE-2025-63830
- **Affected Component**: File Upload Function
- **Affected Product**: CKFinder v1.4.3
- **Vendor**: CKSource Holding sp. z o.o.
- **Attack Type**: Remote
---
## 🧾 Description
CKFinder v1.4.3 is vulnerable to **Stored Cross-Site Scripting (XSS)** in its **File Upload** functionality.
Uploading a crafted **SVG** file containing JavaScript code results in persistent script execution when the file is later accessed or previewed in the application.
This occurs because the SVG file is stored and served as-is, allowing embedded `<script>` tags, event handlers (e.g., `onload`, `onclick`), or `<foreignObject>` elements to execute in the application's origin context.
---
## 🧪 Steps to Reproduce
1. Log in to the application integrated with CKFinder v1.4.3.
2. Navigate to the **File Upload** feature.
3. Upload the following malicious SVG file:
4. After upload, access or preview the file from within the CKFinder file manager or any linked view.
5. Observe JavaScript execution in the browser.
## 🎯 Impact / Risks
- Execution of arbitrary JavaScript in the victim’s browser.
- Theft of session tokens or sensitive information.
- DOM manipulation or redirection to malicious websites.
- Potential lateral movement within admin or management interfaces.
---
## 🛡️ Remediation
- **Sanitize and validate** uploaded SVG files before storing or rendering.
- **Disable SVG uploads** if not required.
- If SVG uploads are necessary:
- Use a secure SVG sanitizer (e.g., **DOMPurify**, **SVG-Sanitizer**) before rendering.
- Serve uploaded SVGs with secure response headers:
```http
Content-Type: image/svg+xml; charset=UTF-8
Content-Disposition: attachment
X-Content-Type-Options: nosniff
```
- Host user-uploaded files on a **separate domain or CDN** to enforce origin isolation.
- **Upgrade to the latest version** of CKFinder, as newer versions may include improved file sanitization and security handling.
---
## Proof-Of-Concept
<img width="823" height="370" alt="image (11)" src="https://github.com/user-attachments/assets/1afc6a47-54d9-4dca-ac12-ae43a1a18e4c" />
<img width="817" height="215" alt="image (12)" src="https://github.com/user-attachments/assets/81f85059-2cd6-49fa-9dcd-84cb9bc85c7e" />
<img width="1309" height="220" alt="image (13)" src="https://github.com/user-attachments/assets/a54a184e-d16b-4102-9015-ab9057b65bfd" />
<img width="833" height="240" alt="image (14)" src="https://github.com/user-attachments/assets/0a2dedee-05c3-4b67-827f-ebb34d456e8b" />
<img width="860" height="419" alt="image (15)" src="https://github.com/user-attachments/assets/aecb826d-5e51-46e4-8836-c042b4e9197b" />
## 👤 Discoverer
**Shubham Ghadge**
*Security Researcher / Application Security Consultant*
[4.0K] /data/pocs/f09234dd474a53f8a542e5492a51701507f590e9
└── [3.4K] README.md
1 directory, 1 file