QwikSec

Security Database

CVE

CWE

Training

CVE-2025-34282

Published: Oct 17, 2025

Modified: Nov 19, 2025

PUBLISHED

Description

ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.

Vendor	Product	Versions
ThingsBoard, Inc.	ThingsBoard	affected `0 - < 4.2.1`

Weaknesses (CWE)

References

https://github.com/thingsboard/thingsboard/releases/tag/v4.2.1

release-notes

patch

https://github.com/thingsboard/thingsboard/pull/13927

patch

https://www.vulncheck.com/advisories/thingsboard-svg-image-ssrf

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.