CVE-2025-70297 is a stored cross-site scripting (XSS) vulnerability affecting Mealie version 3.3.1, an open-source recipe management application. The vulnerability exists in the recipe asset upload and media serving component, where authenticated users can upload SVG files containing malicious JavaScript or HTML payloads. These SVG files are served with the MIME type image/svg+xml, which modern browsers render and execute, enabling the injected script to run in the context of the victim's browser session. Because the vulnerability is stored, the malicious payload persists on the server and is delivered to any user viewing the affected media, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. Exploitation requires authentication, which limits the attack surface to users with upload permissions, but does not require additional user interaction beyond viewing the malicious content. No official patches or CVSS scores have been published yet, and no known exploits have been reported in the wild. The vulnerability highlights the risks of insufficient input validation and improper handling of SVG files, which can embed executable scripts. The lack of sanitization or filtering of SVG content allows attackers to bypass typical image upload restrictions. This issue underscores the importance of secure file upload handling, especially for vector graphics that support embedded scripting. Organizations using Mealie 3.3.1 should be aware of this vulnerability and prepare to implement mitigations or updates once available.

For European organizations, this vulnerability poses a significant risk to confidentiality and integrity of user data and sessions. If exploited, attackers could hijack authenticated user sessions, steal sensitive information such as credentials or personal data, and perform unauthorized actions within the application. This could lead to broader compromise of internal systems if the application integrates with other services or holds sensitive business data. The requirement for authentication reduces the risk from anonymous attackers but does not eliminate it, especially in environments with many users or weak access controls. Hospitality, culinary, and food service organizations using Mealie or similar platforms for recipe management and media sharing are particularly vulnerable. The stored nature of the XSS means multiple users can be affected once the malicious SVG is uploaded, increasing the scope of impact. Additionally, the vulnerability could be leveraged as a foothold for further attacks within the network. The absence of known exploits currently provides a window for proactive mitigation, but the risk remains high given the ease of exploitation post-authentication and the potential damage from session hijacking or data theft.

1. Immediately restrict or disable SVG file uploads in Mealie 3.3.1 until a patch is available. 2. Implement server-side sanitization of SVG files to remove any embedded scripts or potentially malicious content before storing or serving them. 3. Apply strict Content Security Policies (CSP) that disallow inline scripts and restrict the sources of executable content to mitigate the impact of any injected scripts. 4. Enforce strong authentication and role-based access controls to limit upload permissions to trusted users only. 5. Monitor logs and user activity for unusual upload patterns or access to media files that could indicate exploitation attempts. 6. Educate users about the risks of uploading untrusted SVG content and encourage the use of safer image formats like PNG or JPEG. 7. Stay updated with Mealie project releases and apply security patches promptly once available. 8. Consider implementing web application firewalls (WAF) with rules to detect and block malicious SVG payloads. 9. Conduct regular security assessments and penetration testing focusing on file upload functionalities. 10. If possible, isolate the media serving component to a separate domain or subdomain to leverage browser security features like separate origin policies.