CVE-2025-7066 is a medium-severity cross-site scripting (XSS) vulnerability affecting the Jirafeau project, an open-source file sharing web application. The vulnerability arises from improper neutralization of input during web page generation (CWE-79). Jirafeau attempts to prevent browser preview of text files to mitigate XSS risks by restricting previews to files with MIME types starting with image (excluding image/svg+xml due to prior vulnerabilities), video, and audio. However, an attacker can bypass this MIME type check by submitting a manipulated MIME type containing a comma followed by a secondary MIME type such as text/html (e.g., image/png,text/html). Browsers interpret multiple MIME types and prioritize text/html, enabling execution of malicious scripts embedded in the file content. This leads to cross-site scripting attacks that can compromise user sessions, steal sensitive data, or perform unauthorized actions within the context of the victim's browser session. The vulnerability does not require authentication but does require user interaction (e.g., previewing the malicious file). The scope is limited to users who preview files through Jirafeau instances vulnerable to this MIME type parsing flaw. The vendor has enhanced MIME type validation to block previews when the stored MIME type contains a comma, mitigating this attack vector. No known exploits are reported in the wild as of the publication date. The CVSS 3.1 score is 6.1 (medium), reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, and partial confidentiality and integrity impacts with no availability impact.

For European organizations using Jirafeau for file sharing, this vulnerability poses a risk of client-side attacks via malicious file previews. Successful exploitation could lead to theft of session cookies, credentials, or other sensitive information accessible in the browser context, enabling further compromise of user accounts or internal resources. This is particularly concerning for organizations handling sensitive or regulated data, such as financial institutions, healthcare providers, or government agencies. The vulnerability could also facilitate phishing or social engineering campaigns by injecting malicious scripts that alter the user interface or redirect users to fraudulent sites. Although the impact is limited to users interacting with the preview feature, the potential for lateral movement or data leakage exists if attackers leverage stolen credentials or session tokens. Given the medium severity and lack of known exploits, the immediate risk is moderate but warrants timely remediation to prevent future exploitation.

Organizations should ensure that their Jirafeau deployments are updated to the latest version where MIME type validation has been enhanced to reject MIME types containing commas, effectively blocking this bypass technique. If an official patch is not yet available, administrators should consider disabling the browser preview feature entirely or restricting file uploads and previews to trusted users only. Implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Additionally, user education on the risks of previewing untrusted files and monitoring web server logs for suspicious MIME type patterns can aid in early detection. Network-level protections such as web application firewalls (WAFs) can be tuned to detect and block requests with suspicious MIME type headers containing commas or multiple types. Regular security assessments and penetration testing of file sharing platforms should include tests for MIME type parsing vulnerabilities.