CVE-2025-7066

Published: Jul 4, 2025

Modified: Sep 16, 2025

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110 and CVE-2024-12326), video and audio. However, it was possible to bypass this check by sending a manipulated MIME type containing a comma and an other MIME type like text/html (for example image/png,text/html). Browsers see multiple MIME types and text/html would takes precedence, allowing a possible attacker to do a cross-site scripting attack. The check for MIME types was enhanced to prevent a browser preview when the stored MIME type contains a comma.

Vendor	Product	Versions
Jirafeau project	Jirafeau	affected `0 - < 4.6.3`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://gitlab.com/jirafeau/Jirafeau/-/commit/79464ec6276e8eb0e0b0ad597db02b85080d2b63

https://www.cve.org/CVERecord?id=CVE-2022-30110

https://www.cve.org/CVERecord?id=CVE-2024-12326

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-7066

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References