Vulnerability Details CVE-2025-58351
Outline is a service that allows for collaborative documentation. In versions 0.72.0 through 0.83.0, Outline introduced a feature which facilitates local file system storage capabilities as an optional file storage strategy. This feature allowed a CSP bypass as well as a ContentType bypass that might facilitate further attacks. In the case of self-hosting and using Outline FILE_STORAGE=local on the same domain as the Outline application, a malicious payload can be uploaded as a file attachment and bypass those CSP restrictions, allowing script execution within the context of another user. This is fixed in version 0.84.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 10.7%
CVSS Severity
CVSS v3 Score 6.8
References
Products affected by CVE-2025-58351
-
cpe:2.3:a:getoutline:outline:0.72.0
-
cpe:2.3:a:getoutline:outline:0.72.0-0
-
cpe:2.3:a:getoutline:outline:0.72.0-1
-
cpe:2.3:a:getoutline:outline:0.72.0-2
-
cpe:2.3:a:getoutline:outline:0.72.0-3
-
cpe:2.3:a:getoutline:outline:0.72.1
-
cpe:2.3:a:getoutline:outline:0.72.2
-
cpe:2.3:a:getoutline:outline:0.73.0
-
cpe:2.3:a:getoutline:outline:0.73.1
-
cpe:2.3:a:getoutline:outline:0.74.0
-
cpe:2.3:a:getoutline:outline:0.75.0
-
cpe:2.3:a:getoutline:outline:0.75.1
-
cpe:2.3:a:getoutline:outline:0.75.2
-
cpe:2.3:a:getoutline:outline:0.76.0
-
cpe:2.3:a:getoutline:outline:0.76.0-0
-
cpe:2.3:a:getoutline:outline:0.76.0-1
-
cpe:2.3:a:getoutline:outline:0.76.0-2
-
cpe:2.3:a:getoutline:outline:0.76.1
-
cpe:2.3:a:getoutline:outline:0.76.2-0
-
cpe:2.3:a:getoutline:outline:0.77.0
-
cpe:2.3:a:getoutline:outline:0.77.1
-
cpe:2.3:a:getoutline:outline:0.77.1-0
-
cpe:2.3:a:getoutline:outline:0.77.1-1
-
cpe:2.3:a:getoutline:outline:0.77.1-2
-
cpe:2.3:a:getoutline:outline:0.77.1-3
-
cpe:2.3:a:getoutline:outline:0.77.2
-
cpe:2.3:a:getoutline:outline:0.77.3
-
cpe:2.3:a:getoutline:outline:0.78.0
-
cpe:2.3:a:getoutline:outline:0.78.0-0
-
cpe:2.3:a:getoutline:outline:0.79.0
-
cpe:2.3:a:getoutline:outline:0.79.0-0
-
cpe:2.3:a:getoutline:outline:0.79.1
-
cpe:2.3:a:getoutline:outline:0.79.2-0
-
cpe:2.3:a:getoutline:outline:0.80.0
-
cpe:2.3:a:getoutline:outline:0.80.1
-
cpe:2.3:a:getoutline:outline:0.80.3-0
-
cpe:2.3:a:getoutline:outline:0.81.0
-
cpe:2.3:a:getoutline:outline:0.81.1
-
cpe:2.3:a:getoutline:outline:0.82.0
-
cpe:2.3:a:getoutline:outline:0.82.0-0
-
cpe:2.3:a:getoutline:outline:0.82.1-0
-
cpe:2.3:a:getoutline:outline:0.82.1-1
-
cpe:2.3:a:getoutline:outline:0.82.1-10
-
cpe:2.3:a:getoutline:outline:0.82.1-11
-
cpe:2.3:a:getoutline:outline:0.82.1-12
-
cpe:2.3:a:getoutline:outline:0.82.1-13
-
cpe:2.3:a:getoutline:outline:0.82.1-14
-
cpe:2.3:a:getoutline:outline:0.82.1-15
-
cpe:2.3:a:getoutline:outline:0.82.1-16
-
cpe:2.3:a:getoutline:outline:0.82.1-17
-
cpe:2.3:a:getoutline:outline:0.82.1-18
-
cpe:2.3:a:getoutline:outline:0.82.1-19
-
cpe:2.3:a:getoutline:outline:0.82.1-2
-
cpe:2.3:a:getoutline:outline:0.82.1-20
-
cpe:2.3:a:getoutline:outline:0.82.1-21
-
cpe:2.3:a:getoutline:outline:0.82.1-22
-
cpe:2.3:a:getoutline:outline:0.82.1-23
-
cpe:2.3:a:getoutline:outline:0.82.1-24
-
cpe:2.3:a:getoutline:outline:0.82.1-25
-
cpe:2.3:a:getoutline:outline:0.82.1-26
-
cpe:2.3:a:getoutline:outline:0.82.1-27
-
cpe:2.3:a:getoutline:outline:0.82.1-28
-
cpe:2.3:a:getoutline:outline:0.82.1-29
-
cpe:2.3:a:getoutline:outline:0.82.1-3
-
cpe:2.3:a:getoutline:outline:0.82.1-30
-
cpe:2.3:a:getoutline:outline:0.82.1-31
-
cpe:2.3:a:getoutline:outline:0.82.1-4
-
cpe:2.3:a:getoutline:outline:0.82.1-5
-
cpe:2.3:a:getoutline:outline:0.82.1-6
-
cpe:2.3:a:getoutline:outline:0.82.1-7
-
cpe:2.3:a:getoutline:outline:0.82.1-8
-
cpe:2.3:a:getoutline:outline:0.82.1-9
-
cpe:2.3:a:getoutline:outline:0.83.0