CVE-2025-64027: Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow

November 20, 2025

Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update request to inject arbitrary HTML or JavaScript into the progress_message. Because the server accepts the modified input without sanitization and reflects it back to the user, arbitrary JavaScript executes in the browser of any authenticated admin who views the import page.

References

github.com/advisories/GHSA-8x9v-8qgj-945x
github.com/cybercrewinc/CVE-2025-64027
github.com/grokability/snipe-it
nvd.nist.gov/vuln/detail/CVE-2025-64027

Code Behaviors & Features

Detect and mitigate CVE-2025-64027 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →