CVE-2025-34282

CRITICAL

Thingsboard < 4.2.1 - SSRF

Title source: rule

Description

ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.

Exploits (1)

nomisec WORKING POC

by mathitam · poc

https://github.com/mathitam/thingsboard-ssrf-cve-2025-34282

View Code ZIP pw:eip

References (3)

[Issue Tracking] https://github.com/thingsboard/thingsboard/pull/13927

[Release Notes] https://github.com/thingsboard/thingsboard/releases/tag/v4.2.1

[Third Party Advisory] https://www.vulncheck.com/advisories/thingsboard-svg-image-ssrf

Scores

CVSS v3 9.1

EPSS 0.0004

EPSS Percentile 13.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-918

Status published

Products (1)

thingsboard/thingsboard < 4.2.1

Published Oct 17, 2025

Tracked Since Feb 18, 2026