CVE-2025-64027 is a reflected cross-site scripting (XSS) vulnerability identified in Snipe-IT version 8.3.4 (build 20218), specifically within its CSV Import workflow. The vulnerability arises when an invalid CSV file is uploaded: the server responds with a progress_message value that is rendered as raw HTML in the administrative interface. This progress_message is not properly sanitized, allowing an attacker to intercept and modify the POST /livewire/update request to inject arbitrary HTML or JavaScript code. Because the server reflects this modified input back to the user without validation, any authenticated administrator viewing the import page can have malicious scripts executed in their browser. This could lead to session hijacking, credential theft, or unauthorized actions performed with the admin's privileges. However, the supplier disputes the practical exploitability of this vulnerability, noting that the demonstrated attack scenario requires the authenticated user to conduct a man-in-the-middle attack against themselves, limiting the threat's real-world impact. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), and has a CVSS v3.1 base score of 6.1, indicating medium severity. No patches or known exploits are currently available, and the vulnerability was published on November 20, 2025.

For European organizations using Snipe-IT as an asset management solution, this vulnerability poses a moderate risk. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of authenticated admin users, potentially leading to session hijacking, theft of sensitive information, or unauthorized administrative actions. Given that Snipe-IT is often used to manage IT assets and licenses, compromise could lead to broader operational disruptions or data leakage. However, the requirement for authentication and the need for the attacker to intercept and modify requests (man-in-the-middle) reduces the likelihood of widespread exploitation. Organizations with strict network segmentation and encrypted communications (e.g., HTTPS with proper certificate validation) are less vulnerable to man-in-the-middle attacks, further mitigating risk. Nonetheless, insider threats or compromised internal networks could increase exposure. The absence of known exploits in the wild suggests limited active targeting so far, but the vulnerability should be addressed promptly to prevent future exploitation.

1. Apply any available patches or updates from Snipe-IT as soon as they are released. 2. If patches are not yet available, restrict access to the CSV Import functionality to only highly trusted administrators and limit network access to the Snipe-IT admin interface using firewalls or VPNs. 3. Enforce strict HTTPS usage with certificate pinning or strict transport security to prevent man-in-the-middle attacks that enable request interception and modification. 4. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the admin interface. 5. Monitor administrative activity logs for unusual behavior or repeated failed CSV imports that could indicate exploitation attempts. 6. Educate administrators about the risks of interacting with untrusted CSV files and the importance of verifying network security. 7. Consider deploying web application firewalls (WAFs) that can detect and block reflected XSS payloads targeting the import workflow. 8. Review and harden the input validation and output encoding mechanisms in the CSV import feature once source code access is available.