CVE-2025-70297 is a stored cross-site scripting (XSS) vulnerability affecting Mealie version 3.3.1, specifically in the recipe asset upload and media serving components. The vulnerability arises because the application allows authenticated users to upload SVG files without sufficient sanitization or validation. These SVG files, served with the MIME type image/svg+xml, can contain embedded JavaScript or HTML code. When a victim views the uploaded SVG image, their browser executes the malicious script, leading to potential session hijacking, credential theft, or unauthorized actions within the application context. The vulnerability requires the attacker to be authenticated and for the victim to interact with the malicious content. The CVSS v3.1 score of 6.1 reflects a medium severity, considering the network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction needed. The scope is changed due to the potential impact on other users viewing the malicious SVG. No patches or known exploits are currently documented, but the vulnerability is publicly disclosed and should be addressed promptly.

The primary impact of this vulnerability is on the confidentiality and integrity of user data within Mealie deployments. Attackers can execute arbitrary scripts in the context of other users' browsers, potentially stealing session tokens, performing actions on behalf of victims, or injecting malicious content. This can lead to account compromise, data leakage, or defacement of content. Since the vulnerability requires authentication for uploading malicious SVGs, insider threats or compromised accounts pose a significant risk. The availability impact is minimal as the vulnerability does not directly cause denial of service. Organizations relying on Mealie for recipe management or media sharing may face reputational damage and user trust erosion if exploited. The risk is amplified in environments with multiple users and sensitive data. Although no known exploits exist yet, the ease of exploitation and public disclosure increase the likelihood of future attacks.

To mitigate CVE-2025-70297, organizations should implement strict input validation and sanitization on uploaded SVG files, removing or neutralizing any embedded scripts or potentially dangerous elements. Employing a whitelist approach for allowed SVG content or converting SVGs to safer formats (e.g., PNG) before serving can reduce risk. Restricting upload permissions to highly trusted users and monitoring upload activity for suspicious files is advisable. Additionally, configuring Content Security Policy (CSP) headers to restrict script execution and disallow inline scripts can limit the impact of XSS attacks. Regularly updating Mealie to newer versions that address this vulnerability once available is critical. Educating users about the risks of interacting with untrusted media and implementing multi-factor authentication can further reduce exploitation likelihood. Finally, conducting security audits and penetration testing focused on file upload components will help identify and remediate similar issues proactively.