Vulnerability Details CVE-2025-34282
ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 15.7%
CVSS Severity
CVSS v3 Score 9.1
References
Products affected by CVE-2025-34282
-
cpe:2.3:a:thingsboard:thingsboard:1.0
-
cpe:2.3:a:thingsboard:thingsboard:1.0.1
-
cpe:2.3:a:thingsboard:thingsboard:1.0.2
-
cpe:2.3:a:thingsboard:thingsboard:1.0.3
-
cpe:2.3:a:thingsboard:thingsboard:1.1
-
cpe:2.3:a:thingsboard:thingsboard:1.2
-
cpe:2.3:a:thingsboard:thingsboard:1.2.1
-
cpe:2.3:a:thingsboard:thingsboard:1.2.2
-
cpe:2.3:a:thingsboard:thingsboard:1.2.3
-
cpe:2.3:a:thingsboard:thingsboard:1.3
-
cpe:2.3:a:thingsboard:thingsboard:1.3.1
-
cpe:2.3:a:thingsboard:thingsboard:1.4
-
cpe:2.3:a:thingsboard:thingsboard:2.0
-
cpe:2.3:a:thingsboard:thingsboard:2.0.1
-
cpe:2.3:a:thingsboard:thingsboard:2.0.2
-
cpe:2.3:a:thingsboard:thingsboard:2.0.3
-
cpe:2.3:a:thingsboard:thingsboard:2.1
-
cpe:2.3:a:thingsboard:thingsboard:2.1.1
-
cpe:2.3:a:thingsboard:thingsboard:2.1.2
-
cpe:2.3:a:thingsboard:thingsboard:2.1.3
-
cpe:2.3:a:thingsboard:thingsboard:2.2
-
cpe:2.3:a:thingsboard:thingsboard:2.3
-
cpe:2.3:a:thingsboard:thingsboard:2.3.1
-
cpe:2.3:a:thingsboard:thingsboard:2.4
-
cpe:2.3:a:thingsboard:thingsboard:2.4.1
-
cpe:2.3:a:thingsboard:thingsboard:2.4.2
-
cpe:2.3:a:thingsboard:thingsboard:2.4.2.1
-
cpe:2.3:a:thingsboard:thingsboard:2.4.3
-
cpe:2.3:a:thingsboard:thingsboard:2.5
-
cpe:2.3:a:thingsboard:thingsboard:2.5.1
-
cpe:2.3:a:thingsboard:thingsboard:2.5.2
-
cpe:2.3:a:thingsboard:thingsboard:2.5.3
-
cpe:2.3:a:thingsboard:thingsboard:2.5.4
-
cpe:2.3:a:thingsboard:thingsboard:2.5.5
-
cpe:2.3:a:thingsboard:thingsboard:3.0
-
cpe:2.3:a:thingsboard:thingsboard:3.0.1
-
cpe:2.3:a:thingsboard:thingsboard:3.1
-
cpe:2.3:a:thingsboard:thingsboard:3.1.1
-
cpe:2.3:a:thingsboard:thingsboard:3.2
-
cpe:2.3:a:thingsboard:thingsboard:3.3
-
cpe:2.3:a:thingsboard:thingsboard:3.3.1
-
cpe:2.3:a:thingsboard:thingsboard:3.3.2
-
cpe:2.3:a:thingsboard:thingsboard:3.3.3
-
cpe:2.3:a:thingsboard:thingsboard:3.3.4
-
cpe:2.3:a:thingsboard:thingsboard:3.3.4.1
-
cpe:2.3:a:thingsboard:thingsboard:3.4
-
cpe:2.3:a:thingsboard:thingsboard:3.4.1
-
cpe:2.3:a:thingsboard:thingsboard:3.4.2
-
cpe:2.3:a:thingsboard:thingsboard:3.4.3
-
cpe:2.3:a:thingsboard:thingsboard:3.4.4
-
cpe:2.3:a:thingsboard:thingsboard:3.5
-
cpe:2.3:a:thingsboard:thingsboard:3.5.1
-
cpe:2.3:a:thingsboard:thingsboard:3.6
-
cpe:2.3:a:thingsboard:thingsboard:3.6.1
-
cpe:2.3:a:thingsboard:thingsboard:3.6.2
-
cpe:2.3:a:thingsboard:thingsboard:3.6.3
-
cpe:2.3:a:thingsboard:thingsboard:3.6.4
-
cpe:2.3:a:thingsboard:thingsboard:3.7
-
cpe:2.3:a:thingsboard:thingsboard:3.8
-
cpe:2.3:a:thingsboard:thingsboard:3.8.1
-
cpe:2.3:a:thingsboard:thingsboard:3.9
-
cpe:2.3:a:thingsboard:thingsboard:3.9.1
-
cpe:2.3:a:thingsboard:thingsboard:4.0
-
cpe:2.3:a:thingsboard:thingsboard:4.0.1
-
cpe:2.3:a:thingsboard:thingsboard:4.0.2
-
cpe:2.3:a:thingsboard:thingsboard:4.1
-
cpe:2.3:a:thingsboard:thingsboard:4.2