CVE-2025-64027 is a reflected cross-site scripting (XSS) vulnerability identified in Snipe-IT version 8.3.4 (build 20218), specifically within the CSV Import workflow. The vulnerability arises because when an invalid CSV file is uploaded, the server generates a progress_message value that is rendered as raw HTML in the administrative interface without proper sanitization or encoding. An attacker capable of intercepting and modifying the POST /livewire/update request can inject arbitrary HTML or JavaScript code into the progress_message parameter. Since the server reflects this input back to the authenticated admin user’s browser without validation, the malicious script executes in the context of the admin’s session. This reflected XSS attack vector requires the attacker to have network access to intercept and modify requests or to trick an authenticated admin into submitting a crafted request. The vulnerability compromises the confidentiality and integrity of the admin session, potentially allowing session hijacking, credential theft, or execution of arbitrary actions with administrative privileges. Although no public exploits are currently known, the vulnerability is significant due to the high privileges of affected users and the ease of injecting malicious scripts once the POST request is intercepted. The lack of a CVSS score indicates that the vulnerability is newly published and not yet fully assessed. The vulnerability affects Snipe-IT installations running the specified version, which is an open-source asset management system widely used by organizations to manage hardware and software assets. The reflected XSS occurs only in the admin interface, requiring authentication but no additional user interaction beyond viewing the import page. This limits the attack surface but does not eliminate risk, especially in environments where administrative access is exposed or where attackers can perform man-in-the-middle attacks.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of administrative sessions within Snipe-IT installations. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of authenticated admin users, leading to session hijacking, theft of sensitive asset management data, or unauthorized administrative actions such as modifying asset records or user permissions. This could disrupt asset management operations, cause data integrity issues, and facilitate further lateral movement within the network. Organizations relying on Snipe-IT for critical asset tracking, especially in sectors like finance, healthcare, or government, could face operational disruptions and compliance violations. The requirement for authentication limits exploitation to insiders or attackers who have already gained some network access, but the reflected nature of the XSS means that phishing or social engineering could also be used to trick admins into triggering the vulnerability. Given the administrative privileges involved, the impact on availability is moderate but the impact on confidentiality and integrity is high. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation. European organizations with exposed or poorly segmented admin interfaces are particularly vulnerable.

1. Apply patches or updates from Snipe-IT as soon as they become available that address this vulnerability. 2. Restrict access to the Snipe-IT administrative interface using network segmentation, VPNs, or IP whitelisting to limit exposure to trusted users only. 3. Implement strict input validation and output encoding for the CSV import workflow to ensure that progress_message values are properly sanitized and not rendered as raw HTML. 4. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the admin interface. 5. Monitor network traffic for unusual POST /livewire/update requests that may indicate attempts to exploit this vulnerability. 6. Educate administrators about the risks of clicking on suspicious links or uploading untrusted CSV files. 7. Employ multi-factor authentication (MFA) for admin accounts to reduce the risk of session hijacking. 8. Regularly audit and review administrative logs for signs of anomalous activity related to CSV imports or admin interface usage.