← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2025-64759 · CWE-20 · Disclosed 2025-11-19

Homarr is an open-source dashboard

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a poisoned sticky note on the admin’s dashboard, not a brick through the front window

CVE-2025-64759 is a stored XSS in Homarr where a malicious SVG uploaded through the user-media path can execute JavaScript when rendered in a victim browser. The vendor advisory says affected versions are <= 1.43.2, patched in >= 1.43.3, and NVD mirrors that scope. The advisory also makes the critical detail explicit: the attacker must be able to upload media and edit a board, and admin takeover only happens if an administrator later views the page that renders or redirects to that SVG.

The vendor's HIGH 8.1 score is technically understandable because successful exploitation can cross privilege boundaries inside the app and end in full Homarr admin rights. In real deployments, though, this is a heavily gated chain: attacker access is already *inside* the app, the exposed population is niche, the vulnerable path often depends on public boards or delegated editors, and the chain still needs an admin view. That makes this a downgrade to MEDIUM for enterprise patch scheduling, not because the bug is harmless, but because the reachable population and attacker starting position are much narrower than the CVSS headline suggests.

"Dangerous inside the app, but too permission-gated and niche to justify a straight HIGH."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Gain board-edit and media-upload rights

The attacker first needs a Homarr identity or exposure path that can modify a board and upload media. Per the advisory, that can be an authenticated user with those permissions or, in some public-board setups, an unauthenticated path if the board is public and the instance is configured loosely enough to allow the workflow. Typical tooling here is just the browser plus an intercept proxy like Burp Suite to understand the upload and board-edit requests.
Conditions required:
  • Homarr instance exists and is reachable
  • Attacker has media-upload and board-edit capability
  • Either delegated user access exists or the deployment exposes a public board workflow
Where this breaks in practice:
  • Most enterprises do not run Homarr at all
  • Many Homarr deployments are personal or small-team dashboards, not broadly delegated enterprise apps
  • Permission to upload media and edit boards is already a meaningful in-app foothold
Detection/coverage: Version scanners can flag <=1.43.2, but they cannot prove this permission path is reachable. App-level logging or reverse-proxy logs are needed to see media uploads and board edits.
STEP 02

Upload a malicious SVG to /api/user-medias/

The weaponized object is an SVG carrying scriptable content or event handlers. Before the patch, Homarr returned uploaded SVG content without sanitizing it; the fix commit adds isomorphic-dompurify, sanitization for SVG content, a CSP sandbox, and X-Content-Type-Options: nosniff on the media response path. The practical exploit kit is trivial: a crafted SVG plus normal upload UI or direct API calls.
Conditions required:
  • Upload endpoint is reachable
  • SVG uploads are accepted
  • Target is still on a vulnerable build
Where this breaks in practice:
  • The attacker still needs a place on a board where the SVG will be rendered or linked
  • Some downstream reverse proxies or CSP customizations may incidentally blunt execution, though you should not count on that
Detection/coverage: Good SCA/SBOM coverage for image tag or package version; weak detection for the malicious payload itself unless uploads are inspected or retained.
STEP 03

Wait for an administrator to render the payload

Impact depends on user interaction: an administrator must load the page that renders or redirects to the SVG. Once rendered in the browser context of the Homarr origin, the JavaScript executes with the victim session and can act as that admin. This is the decisive severity brake: the chain is not self-triggering and does not give instant unauthenticated server compromise.
Conditions required:
  • An admin user exists
  • That admin views the page or object containing the malicious SVG
  • The admin browser session is active
Where this breaks in practice:
  • Requires a specific victim role, not just any user
  • Requires timing or social engineering to get the admin to open the rendered object
  • Modern browser protections do not stop same-origin script that the application itself serves
Detection/coverage: Email gateways and EDR do not meaningfully stop this step because the content is served by the trusted app itself. Browser telemetry or app audit trails are the better places to look.
STEP 04

Use victim session to self-promote into credentials-admin

The advisory explicitly states the XSS can be abused to add the attacker's account to the credentials-admin group, resulting in full administrative access inside Homarr. At that point the attacker can access whatever secrets, integrations, tokens, URLs, or board content Homarr admins can reach. The exploit tool here is just JavaScript making authenticated same-origin requests from the victim browser.
Conditions required:
  • Admin session has rights to manage group membership or equivalent privileged actions
  • The attacker has an account to promote, or another way to persist access
Where this breaks in practice:
  • Blast radius is primarily the Homarr instance and whatever data or integrations it fronts, not an instant host-level takeover
  • Impact varies sharply based on how many secrets and integrations are stored in Homarr
Detection/coverage: Look for sudden group-membership changes, media upload followed by admin-group modification, or suspicious API activity tied to an admin session.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo authoritative active-exploitation signal found in this review. Not KEV-listed and no vendor statement of exploitation observed.
Proof-of-concept availabilityNo stand-alone public exploit repo surfaced in primary-source review, but reproduction is straightforward from the GitHub advisory plus the fix commit. This is low-complexity to reproduce, not turnkey mass exploitation.
EPSS0.00057 from the user-supplied intel, which is very low predicted near-term exploitation probability. FIRST confirms EPSS is a 30-day exploitation probability model.
KEV statusNo. CVE-2025-64759 is absent from CISA's current KEV JSON mirror reviewed for this assessment.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N — the two suppressors that matter operationally are PR:H and UI:R.
Affected versionsGitHub advisory lists <=1.43.2; OSV shows the vulnerable range across v1.* through v1.43.2 with fix at commit 0bba7be8d5a27276641700ce310b3c270f8b1aa7.
Fixed versionsPatched in 1.43.3. The advisory and release tag both line up on that version.
Exposure realityHomarr supports public boards and anonymous-user fallbacks, so some internet exposure is plausible. But this is still a niche self-hosted dashboard product, and I found no solid public Censys/Shodan/GreyNoise dataset quantifying exposed vulnerable population for this CVE.
Disclosure date2025-11-19 via GitHub advisory and NVD publication metadata.
Researcher / reporterThe public advisory is published by manuel-rw on GitHub, but I could not independently verify a separate external reporter credit from the public advisory text.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.8/10)

The single biggest reason this lands in MEDIUM is the attacker starting position: the chain assumes existing in-app permissions to upload media and edit boards, then still needs an administrator to render the payload. That is classic post-initial-access, permission-gated application abuse, not broad unauthenticated internet compromise.

HIGH Affected version range and patch version
HIGH Exploit chain prerequisites from vendor advisory
MEDIUM Real-world exposure population of Homarr in enterprise environments

Why this verdict

  • Downward pressure: PR:H is real operational friction — attacker needs board-edit/media-upload capability, which implies prior access or delegated trust inside the app.
  • Downward pressure: UI:R compounds the chain — an administrator must later render the malicious SVG, so exploitation is not self-driving.
  • Downward pressure: narrow deployment population — Homarr is a self-hosted dashboard, not a broadly deployed enterprise control plane, so reachable population is much smaller than a generic web-app HIGH.
  • Upward pressure: successful exploitation reaches full Homarr admin — once the XSS runs in an admin session, the attacker can promote themselves to credentials-admin and own the application plane.
  • Upward pressure: public-board support expands edge cases — some deployments allow anonymous users and public boards, which can reduce the authentication hurdle in poorly governed instances.

Why not higher?

This is not a CRITICAL/HIGH patch-priority event for most enterprises because the exploit chain does not begin from unauthenticated remote internet access in the common case. It needs meaningful in-app rights first and then depends on admin interaction, which sharply reduces both exploit velocity and exposed population.

Why not lower?

I would not drop this to LOW because, once triggered, the outcome is still full application-admin compromise with likely access to stored integrations and secrets. Public-board deployments and loosely delegated editor roles can also make the first stage easier than the raw PR:H label suggests.

05 · Compensating Control

What to do — in priority order.

  1. Remove board-edit rights from non-admins — If users do not need to edit boards or upload media, revoke it now. For a MEDIUM finding there is no noisgate mitigation SLA; use this as immediate hardening while you move to the 365-day remediation window.
  2. Disable or review public boards — Public boards widen the reachable population and create anonymous-user edge cases called out by Homarr's own docs. No mitigation SLA for MEDIUM, but this is the fastest blast-radius reduction if you cannot patch immediately.
  3. Block SVG uploads at the reverse proxy or app policy layer — If you can safely do so, reject image/svg+xml uploads or strip existing uploaded SVG media until all instances are on 1.43.3+. This directly cuts off the weaponized file type without waiting for a full maintenance cycle.
  4. Audit admin-group changes and media uploads — Search for suspicious sequences: uploaded media, board edits, then membership changes involving credentials-admin. This will not prevent exploitation, but it improves the chance of catching a successful chain before the attacker settles in.
  5. Force least privilege on Homarr integrations — Assume a compromised Homarr admin can read or abuse connected integration metadata and tokens. Reduce stored secrets and downgrade integration scopes so an app-admin compromise does not become a wider environment compromise.
What doesn't work
  • A generic WAF is not a reliable answer here because the malicious payload is stored by the application and later served from the trusted origin.
  • MFA does not stop the post-login browser-session abuse; the malicious JavaScript rides the already authenticated admin session.
  • Relying on a browser's default XSS protections does not help enough because the app is legitimately serving attacker-controlled SVG content from its own origin.
06 · Verification

Crowdsourced verification payload.

Run this on the Docker host or Linux target that runs Homarr. Invoke it as bash check-homarr-cve-2025-64759.sh to scan running containers and local images, or bash check-homarr-cve-2025-64759.sh ghcr.io/homarr-labs/homarr:1.43.2 to check a specific image reference; it needs permission to talk to Docker (root or membership in the docker group).

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check-homarr-cve-2025-64759.sh
# Detects likely exposure to CVE-2025-64759 by checking Homarr Docker image tags.
# Outputs exactly one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

FIXED_VERSION="1.43.3"
TARGET_ARG="${1:-}"

have_cmd() {
  command -v "$1" >/dev/null 2>&1
}

ver_lt() {
  # returns 0 if $1 < $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ]
}

normalize_version() {
  local v="$1"
  v="${v#v}"
  v="${v%%-*}"
  printf '%s' "$v"
}

check_ref() {
  local ref="$1"
  local tag version

  case "$ref" in
    *:*) tag="${ref##*:}" ;;
    *) tag="" ;;
  esac

  if [ -z "$tag" ] || [ "$tag" = "latest" ]; then
    return 2
  fi

  version="$(normalize_version "$tag")"

  case "$version" in
    ''|*[!0-9.]* )
      return 2
      ;;
  esac

  if ver_lt "$version" "$FIXED_VERSION"; then
    return 1
  fi
  return 0
}

if ! have_cmd docker; then
  echo "UNKNOWN"
  exit 2
fi

# If a specific image/container reference was supplied, check only that.
if [ -n "$TARGET_ARG" ]; then
  if check_ref "$TARGET_ARG"; then
    echo "PATCHED"
    exit 0
  else
    rc=$?
    if [ "$rc" -eq 1 ]; then
      echo "VULNERABLE"
      exit 1
    fi
    echo "UNKNOWN"
    exit 2
  fi
fi

found_any=0
unknown_any=0

# Check running containers first.
while IFS= read -r img; do
  [ -z "$img" ] && continue
  found_any=1
  if check_ref "$img"; then
    :
  else
    rc=$?
    if [ "$rc" -eq 1 ]; then
      echo "VULNERABLE"
      exit 1
    fi
    unknown_any=1
  fi
done < <(docker ps --format '{{.Image}}' 2>/dev/null | grep -Ei 'homarr' || true)

# If no running containers matched, check local images.
if [ "$found_any" -eq 0 ]; then
  while IFS= read -r img; do
    [ -z "$img" ] && continue
    found_any=1
    if check_ref "$img"; then
      :
    else
      rc=$?
      if [ "$rc" -eq 1 ]; then
        echo "VULNERABLE"
        exit 1
      fi
      unknown_any=1
    fi
  done < <(docker images --format '{{.Repository}}:{{.Tag}}' 2>/dev/null | grep -Ei 'homarr' || true)
fi

if [ "$found_any" -eq 0 ]; then
  echo "UNKNOWN"
  exit 2
fi

if [ "$unknown_any" -eq 1 ]; then
  echo "UNKNOWN"
  exit 2
fi

echo "PATCHED"
exit 0
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: identify every Homarr instance, especially any with public boards, delegated editors, or stored admin integrations, and move them to 1.43.3+. Because this is a MEDIUM reassessment, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; use configuration hardening now by removing board-edit/media-upload rights from non-admins and blocking SVG uploads where feasible, then complete the vendor patch within the noisgate remediation SLA of ≤ 365 days.

Sources

  1. NVD CVE-2025-64759
  2. GitHub Security Advisory GHSA-wj62-c5gr-2x53
  3. Homarr fix commit aaa23f3
  4. Homarr release v1.43.3
  5. OSV record for CVE-2025-64759
  6. Homarr settings documentation
  7. CISA KEV raw JSON mirror
  8. FIRST EPSS overview
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.