CVE-2025-27500

CVE-2025-27500 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the OpenZiti project, specifically the ziti-console admin panel. The issue stems from an unauthenticated endpoint at /api/upload that accepts HTTP POST requests to upload files, which are then stored on the node and made accessible via a URL. With a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), it enables attackers to upload files containing malicious code that executes in the context of a user's browser when the URL is accessed.

Any unauthenticated attacker with network access can exploit this vulnerability by sending a POST request with a malicious file to the /api/upload endpoint. Once uploaded, the file becomes publicly accessible via a generated URL, allowing the stored XSS payload to execute when an administrative user or other authorized browser visits that URL. This can lead to high confidentiality impacts, such as stealing session cookies or sensitive data, and limited integrity impacts like defacing content within the victim's browser session.

The GitHub security advisory (GHSA-frxm-vm48-5qf2) confirms the vulnerability has been fixed in OpenZiti version 3.7.1 by disabling the /api/upload endpoint entirely, as it is no longer required following the ziti-console's transition from a Node.js server application to a single-page application. Security practitioners should upgrade to version 3.7.1 or later to mitigate this issue.