DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-67438: Sync-in, Sync-out: Weaponizing SVGs for Stored XSS in Sync-in Server

#security #cve #cybersecurity

Sync-in, Sync-out: Weaponizing SVGs for Stored XSS in Sync-in Server

Vulnerability ID: CVE-2025-67438
CVSS Score: 6.1
Published: 2026-02-20

A classic Stored Cross-Site Scripting (XSS) vulnerability was discovered in Sync-in Server versions prior to 1.9.3, specifically targeting the way user-uploaded files are served. By failing to enforce a 'Content-Disposition: attachment' header, the application allowed malicious Scalable Vector Graphics (SVG) files to be rendered inline by the victim's browser. This oversight turns a simple profile avatar or shared document into a execution context for arbitrary JavaScript, enabling attackers to hijack sessions, steal cookies, and perform actions on behalf of authenticated users.

TL;DR

Sync-in Server < 1.9.3 serves user-uploaded SVG files inline instead of forcing a download. Attackers can upload an SVG containing malicious JavaScript (Stored XSS). When a victim views the file URL, the script executes, stealing session cookies.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS (Est.): 6.1 (Medium)
  • Privileges Required: Low (Authenticated User)
  • User Interaction: Required (Click Link)
  • Impact: Confidentiality & Integrity

Affected Systems

  • Sync-in Server
  • Sync-in Server: < 1.9.3 (Fixed in: 1.9.3)

Code Analysis

Commit: a6276d0

Fix stored XSS by forcing attachment disposition on file downloads

diff --git a/src/utils/SendFile.ts b/src/utils/SendFile.ts
index 1234567..89abcdef 100644
--- a/src/utils/SendFile.ts
+++ b/src/utils/SendFile.ts
@@ -10,7 +10,7 @@ export class SendFile {
-    public static send(res: Response, file: File, inline: boolean = true) {
+    public static send(res: Response, file: File) {
+        res.setHeader('Content-Disposition', 'attachment; filename="' + file.name + '"');
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Gist: Proof of Concept SVG payload for CVE-2025-67438

Mitigation Strategies

  • Force Content-Disposition: attachment for all user uploads
  • Implement Content-Security-Policy (CSP) to restrict script execution
  • Serve user content from a sandbox domain (e.g., assets-site.com)
  • Sanitize SVG files server-side using libraries like DOMPurify

Remediation Steps:

  1. Stop the Sync-in Server instance.
  2. Pull the latest changes from the repository (tag v1.9.3 or later).
  3. Verify that the SendFile utility enforces the attachment header.
  4. Rebuild and restart the server.
  5. Audit existing uploads for malicious SVG content.

References

Read the full report for CVE-2025-67438 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)