CVE-2025-34282
CriticalCVSS 9.1Exploitation Probability (EPSS)
Elevated risk74th percentile - higher than 74% of all known CVEs
Summary
ThingsBoard versions prior to 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL, potentially causing the server to initiate unintended outbound requests.
Risk Assessment
The risk involves potential access to internal services or network resources not directly accessible from outside, which could lead to data leakage or further system compromise.
Recommendation
It is recommended to immediately upgrade ThingsBoard to version 4.2.1 or later, which fixes this vulnerability. Additionally, consider restricting SVG file uploads or validating their content.
Original NVD description (English source)
ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.

