CVE-2025-63317 identifies a Cross Site Scripting (XSS) vulnerability in Todoist version 8896, specifically in the /api/v1/uploads endpoint. The vulnerability arises because the application accepts SVG files without sanitizing embedded JavaScript code. SVG files can contain script elements that execute when the file is rendered in a browser. In this case, when a user opens an SVG attachment from a task or comment, the embedded JavaScript executes in the context of the Todoist web application. This can lead to unauthorized actions such as stealing session tokens, performing actions on behalf of the user, or exfiltrating sensitive data. The vulnerability does not require authentication (PR:N) but does require user interaction (UI:R), meaning an attacker must trick a user into opening the malicious SVG attachment. The CVSS v3.1 base score is 5.4, reflecting a medium severity with low complexity (AC:L) and network attack vector (AV:N). The impact affects confidentiality and integrity but not availability. No patches or known exploits are currently available, indicating the vulnerability is newly disclosed. The CWE-79 classification confirms this is a classic XSS issue due to improper input validation and output encoding. The lack of sanitization for SVG uploads is a critical oversight given the common use of SVGs in modern web applications. This vulnerability highlights the importance of validating and sanitizing all user-uploaded content, especially file formats capable of embedding executable code.

For European organizations, this vulnerability poses a risk primarily to confidentiality and integrity of user data within Todoist. Attackers could leverage this flaw to execute malicious scripts in the context of authenticated users, potentially stealing session cookies, accessing sensitive task information, or manipulating task data. This could lead to unauthorized disclosure of business-sensitive information or disruption of collaborative workflows. While the vulnerability does not affect availability, the reputational damage and potential data breaches could be significant, especially for organizations relying heavily on Todoist for project management and communication. The requirement for user interaction means social engineering or phishing tactics could be used to exploit this vulnerability. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance risks if exploited. The absence of known exploits currently provides a window for proactive mitigation before widespread attacks occur.

To mitigate this vulnerability, European organizations should implement multiple layers of defense: 1) Immediately restrict or disable SVG file uploads in Todoist until a patch is available. 2) If SVG uploads are necessary, apply server-side sanitization to remove any embedded scripts or potentially dangerous elements using robust libraries designed for SVG sanitization. 3) Educate users to be cautious when opening attachments, especially SVG files from untrusted sources or unknown collaborators. 4) Monitor network and application logs for suspicious activity related to file uploads and user interactions with attachments. 5) Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of XSS attacks. 6) Stay updated with Todoist vendor advisories and apply patches promptly once released. 7) Consider additional endpoint protection and browser security controls to detect and block malicious script execution. 8) Conduct regular security awareness training focusing on phishing and social engineering to reduce the risk of user interaction exploitation.