CVE-2025-57292 is a stored cross-site scripting (XSS) vulnerability identified in Todoist version 8484, specifically within the avatar upload functionality. The vulnerability arises because the application does not properly validate the MIME type of uploaded files nor sanitize the metadata embedded within image files. This improper validation allows an attacker to craft a malicious image file containing executable script code within its metadata. When this image is uploaded as an avatar and subsequently rendered by the application, the embedded script executes in the context of the victim's browser. Given that this is a stored XSS, the malicious payload persists on the server and can affect multiple users who view the compromised avatar. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation, leading to XSS. The CVSS v3.1 base score is 6.1 (medium severity), reflecting that the attack vector is network-based, requires no privileges, but does require user interaction (the victim must view the malicious avatar). The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the vulnerable component, and the impact is limited to confidentiality and integrity with no impact on availability. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability highlights a common web application security issue where insufficient input validation and output encoding allow attackers to inject malicious scripts via seemingly benign file uploads, leveraging image metadata fields that are often overlooked in sanitization routines.

For European organizations using Todoist, especially those integrating avatar uploads in collaborative environments, this vulnerability poses a risk of session hijacking, credential theft, or unauthorized actions performed on behalf of users. The confidentiality impact arises from potential theft of sensitive information accessible via the victim's session. Integrity can be compromised if malicious scripts alter displayed content or perform unauthorized operations within the application. While availability is not directly affected, the trustworthiness of the platform and user confidence may degrade. Organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, government) could face compliance risks if user data is exposed or manipulated. Additionally, since Todoist is widely used for task and project management, exploitation could lead to disruption of workflows or leakage of strategic information. The requirement for user interaction (viewing the malicious avatar) means social engineering or phishing tactics could be employed by attackers to maximize impact. The cross-site scripting nature also opens the door for further attacks such as drive-by downloads or spreading malware within the organization’s user base.

To mitigate this vulnerability, organizations should implement strict validation of uploaded files, including verifying MIME types against a whitelist of allowed image formats and rejecting any files that do not conform. Image metadata should be thoroughly sanitized or stripped entirely before storage or rendering to remove any embedded scripts or malicious content. Applying Content Security Policy (CSP) headers can help limit the impact of any injected scripts by restricting the sources from which scripts can be executed. User input and output encoding must be enforced consistently across the application, particularly when rendering user-uploaded content. Organizations should monitor for updates from Todoist and apply patches promptly once available. In the interim, restricting or disabling avatar uploads or limiting them to trusted users can reduce risk. Security awareness training for users to recognize suspicious content and avoid interacting with untrusted avatars can also help. Finally, implementing web application firewalls (WAFs) with rules targeting XSS payloads in image metadata may provide an additional layer of defense.