CVE Catalog

CVE-2025-34282

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.70%

74th percentile - higher than 74% of all known CVEs

Summary

ThingsBoard versions prior to 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL, potentially causing the server to initiate unintended outbound requests.

Risk Assessment

The risk involves potential access to internal services or network resources not directly accessible from outside, which could lead to data leakage or further system compromise.

Recommendation

It is recommended to immediately upgrade ThingsBoard to version 4.2.1 or later, which fixes this vulnerability. Additionally, consider restricting SVG file uploads or validating their content.

Original NVD description (English source)

ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS