CVE-2025-64759 is a stored cross-site scripting (XSS) vulnerability affecting the open-source dashboard application homarr prior to version 1.43.3. The root cause is improper input validation (CWE-20) and unsafe handling of uploaded SVG files (CWE-434). Specifically, homarr renders uploaded SVG images without sufficient sanitization, allowing embedded malicious JavaScript code to execute in the context of any user viewing the SVG. This vulnerability is particularly dangerous because it can be exploited with minimal or no user interaction beyond viewing or being redirected to a page rendering the malicious SVG. The attacker can leverage this XSS to escalate privileges by adding their account to the "credentials-admin" group, effectively gaining full administrative control over the dashboard. This can lead to unauthorized access to sensitive credentials and configuration data managed by homarr. The vulnerability has a CVSS 3.1 base score of 8.1, indicating high severity due to network attack vector, low attack complexity, requirement for privileged user interaction, and impact on confidentiality and integrity. Although no known exploits have been reported in the wild, the potential for administrative takeover makes this a critical risk for affected deployments. The issue was addressed in homarr version 1.43.3 by implementing proper input validation and sanitization of SVG uploads to prevent script execution.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on homarr dashboards to manage credentials and administrative tasks. Exploitation can lead to unauthorized administrative access, allowing attackers to manipulate sensitive configuration data, steal credentials, or disrupt dashboard operations. This compromises confidentiality and integrity of critical information and may facilitate further lateral movement within the network. Given the dashboard’s role in centralizing access to various services, a successful attack could cascade into broader organizational compromise. The requirement for an administrator to view the malicious SVG somewhat limits the attack surface but does not eliminate risk, as targeted phishing or social engineering could induce such interaction. Organizations in sectors with high regulatory scrutiny, such as finance, healthcare, and critical infrastructure, face increased compliance and reputational risks if exploited. Additionally, the lack of known exploits in the wild suggests a window of opportunity for proactive patching before widespread attacks occur.

European organizations should immediately upgrade all homarr instances to version 1.43.3 or later to apply the official patch that sanitizes SVG uploads and prevents script execution. Until patching is complete, restrict SVG file uploads to trusted users only and consider disabling SVG rendering if feasible. Implement strict content security policies (CSP) to limit script execution contexts and reduce XSS impact. Monitor dashboard access logs for unusual administrator activity or unexpected account privilege changes. Educate administrators about the risk of viewing untrusted content within the dashboard and encourage cautious handling of uploaded files. Employ network segmentation to isolate dashboard servers and limit exposure to external attackers. Regularly audit user accounts and group memberships to detect unauthorized privilege escalations. Finally, integrate vulnerability scanning and automated patch management to ensure timely updates of homarr and related software components.