CVE-2025-34281: ThingsBoard vulnerable to stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature
(updated )
ThingsBoard versions < 4.2.1 contain a stored cross-site scripting (XSS) vulnerability in the dashboard’s Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient sanitization and improper content-type validation of uploaded SVG files.
References
- advisory.checkmarx.net/advisory/CVE-2025-3261
- advisory.checkmarx.net/advisory/CVE-2025-34281
- github.com/advisories/GHSA-fpq4-r87v-g246
- github.com/thingsboard/thingsboard
- github.com/thingsboard/thingsboard/commit/b2ae6f92d12206ea185a2e882945a6b69234bf03
- github.com/thingsboard/thingsboard/pull/13927
- github.com/thingsboard/thingsboard/releases/tag/v4.2.1
- nvd.nist.gov/vuln/detail/CVE-2025-34281
- www.vulncheck.com/advisories/thingsboard-svg-image-stored-xss
Code Behaviors & Features
Detect and mitigate CVE-2025-34281 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →