CVE-2025-70849 is a vulnerability affecting podinfo, a popular demo application often used in Kubernetes and cloud-native environments, up to version 6.9.0. The flaw allows unauthenticated attackers to upload arbitrary files by sending a crafted POST request to the /store endpoint. The core issue arises because the application does not enforce a restrictive Content-Security-Policy (CSP) and fails to properly validate the Content-Type of uploaded files. This combination enables attackers to upload malicious scripts that are then stored and rendered by the application, resulting in stored cross-site scripting (XSS). Stored XSS can lead to execution of arbitrary JavaScript in the context of users’ browsers, potentially allowing attackers to steal session tokens, perform actions on behalf of users, or deliver further malware. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.1, indicating a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges required, but requiring user interaction to trigger the XSS payload. No known exploits have been reported in the wild, and no official patches have been released yet. The vulnerability’s scope is limited to confidentiality and integrity impacts, with no direct availability impact. The lack of authentication requirement increases the risk, as any remote attacker can attempt exploitation. The vulnerability is particularly relevant for environments where podinfo is deployed and exposed, especially in cloud-native and Kubernetes demonstration or testing setups.

For European organizations, the impact of CVE-2025-70849 can be significant in environments where podinfo is used, especially in development, testing, or demonstration clusters exposed to untrusted networks. Successful exploitation can lead to stored XSS attacks, compromising the confidentiality and integrity of user sessions and data. Attackers could hijack user sessions, steal sensitive information, or perform unauthorized actions within the application context. While podinfo itself is often used as a demo or test tool, its presence in production or semi-production environments could expose organizations to client-side attacks that may serve as a foothold for further compromise. The lack of restrictive CSP and inadequate file validation increases the risk of malicious payloads being executed in users’ browsers. European organizations with cloud-native infrastructure, especially those leveraging Kubernetes and related tooling, may be more exposed. The vulnerability does not directly affect availability but can undermine trust and lead to data breaches or compliance issues under GDPR if personal data is involved. The medium CVSS score reflects the moderate but non-trivial risk posed by this vulnerability.

To mitigate CVE-2025-70849, European organizations should: 1) Immediately review and restrict access to the /store endpoint, ideally limiting it to trusted users or internal networks. 2) Implement strict Content-Security-Policy (CSP) headers that disallow inline scripts and restrict sources of executable content to trusted domains only. 3) Enforce robust server-side validation of uploaded files, including validating Content-Type headers and file extensions, and rejecting any files that do not conform to expected safe types (e.g., images only). 4) Sanitize and encode any user-supplied content before rendering it in the application to prevent script execution. 5) Monitor logs and network traffic for unusual POST requests to the /store endpoint that may indicate exploitation attempts. 6) Consider deploying web application firewalls (WAFs) with rules to detect and block malicious file uploads and XSS payloads. 7) Stay updated with podinfo releases and apply patches promptly once available. 8) Educate developers and administrators about secure file upload practices and the risks of stored XSS. 9) If podinfo is used only for demos or testing, consider isolating or removing it from production environments to reduce attack surface. 10) Conduct regular security assessments and penetration testing focusing on file upload functionalities and CSP enforcement.