The vulnerability identified as CVE-2025-66908 affects the Turms AI-Serving module version 0.10.0-SNAPSHOT and earlier. It arises from improper validation of uploaded files in the OCR image upload functionality. Specifically, the OcrController uses the @FormData annotation to restrict uploads to image files by checking the Content-Type header and file extensions. However, this validation is insufficient because it relies solely on client-provided metadata without verifying the actual file content via magic bytes or file signatures. Consequently, an attacker can craft requests with a Content-Type header set to "image/*" or use image file extensions while uploading malicious files such as executables, scripts, HTML files, or web shells. If these files are processed or served by the server without proper sanitization, it can lead to severe security consequences including server-side code execution, stored cross-site scripting (XSS), or information disclosure. The vulnerability does not require authentication or user interaction, increasing its risk profile. Although no known exploits have been reported in the wild, the flaw presents a significant attack vector due to the common use of OCR modules in AI-driven applications. The lack of a CVSS score necessitates an assessment based on impact and exploitability factors. The vulnerability's root cause is the absence of robust server-side file content validation, a critical oversight in secure file upload implementations.

For European organizations, the impact of CVE-2025-66908 can be substantial. Organizations using the Turms AI-Serving module for OCR tasks may face risks of unauthorized code execution on their servers if attackers upload malicious files disguised as images. This can lead to full system compromise, data breaches, or persistent cross-site scripting attacks affecting users and internal systems. The vulnerability threatens confidentiality, integrity, and availability of affected systems. Sectors such as finance, healthcare, government, and technology firms that rely on AI and OCR for document processing are particularly vulnerable. Exploitation could result in exposure of sensitive personal or corporate data, disruption of critical services, and reputational damage. Given the ease of exploitation without authentication, attackers could automate attacks at scale. The lack of current known exploits provides a window for proactive mitigation, but the potential impact warrants urgent attention to prevent future incidents.

To mitigate CVE-2025-66908, organizations should implement strict server-side validation of uploaded files beyond relying on Content-Type headers and file extensions. This includes verifying file signatures (magic bytes) to confirm the file type matches expected image formats. Employing libraries or tools that perform deep content inspection can prevent malicious files from being accepted. Additionally, restrict upload permissions and isolate upload directories to minimize the impact of any malicious files. Sanitize and validate any user-generated content before processing or serving it to prevent XSS attacks. Implement application-layer firewalls or intrusion detection systems to monitor and block suspicious upload attempts. Regularly update the Turms AI-Serving module to versions where this vulnerability is patched once available. Conduct security code reviews and penetration testing focused on file upload functionalities. Finally, educate developers and administrators about secure file handling best practices to prevent similar issues.