CVE-2025-7066 is a medium severity cross-site scripting (XSS) vulnerability affecting the Jirafeau project, an open-source file sharing web application. The vulnerability arises from improper neutralization of input during web page generation (CWE-79). Specifically, Jirafeau attempts to prevent browser previews of text files to mitigate XSS risks by restricting previews to certain MIME types, primarily image (excluding image/svg+xml), video, and audio types. However, an attacker can bypass this MIME type validation by submitting a manipulated MIME type string containing a comma followed by a dangerous MIME type such as text/html (e.g., "image/png,text/html"). Browsers interpret multiple MIME types and prioritize the latter, causing the browser to render the file as HTML rather than an image. This allows an attacker to inject malicious scripts that execute in the context of the victim's browser, leading to potential theft of session tokens, user impersonation, or other malicious actions. The vulnerability does not require authentication but does require user interaction (clicking or previewing the file). The scope is limited to users who preview files through the vulnerable Jirafeau instance. The vendor has enhanced MIME type checks to prevent previews when the stored MIME type contains a comma, mitigating this attack vector. No known exploits are currently reported in the wild. The CVSS 3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and partial confidentiality and integrity impact without availability impact.

For European organizations using Jirafeau for internal or external file sharing, this vulnerability could lead to targeted cross-site scripting attacks. Successful exploitation could allow attackers to execute arbitrary scripts in users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of users. This risk is particularly relevant for organizations handling sensitive or regulated data, as it could facilitate data leakage or unauthorized access. The vulnerability could also undermine user trust in file sharing platforms and expose organizations to compliance risks under GDPR if personal data is compromised. Since the attack requires user interaction, phishing or social engineering could be used to trick users into previewing malicious files. The impact is heightened in environments where Jirafeau is exposed to untrusted users or external collaborators. However, the lack of known active exploits and the medium severity rating suggest the threat is moderate but should not be ignored.

Organizations should immediately update Jirafeau to the latest version where MIME type validation has been enhanced to block MIME types containing commas. If an update is not immediately possible, administrators should disable browser preview functionality for all file types or restrict file uploads and previews to trusted users only. Implementing strict content security policies (CSP) on the Jirafeau web server can help mitigate the impact of XSS by restricting script execution sources. Additionally, user education to avoid previewing suspicious files and monitoring logs for unusual preview requests can help detect exploitation attempts. Regular security audits and penetration testing of file sharing platforms should be conducted to identify similar input validation issues. Finally, organizations should consider isolating Jirafeau instances behind VPNs or internal networks to reduce exposure to external attackers.