CVE-2025-34281: 
Wolfi vulnerability analysis and mitigation

ThingsBoard versions prior to 4.2.1 contain a stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature. The vulnerability was discovered and disclosed on October 17, 2025, and is tracked as CVE-2025-34281. The issue affects the ThingsBoard platform's image upload functionality and has been assigned a CVSS v4.0 score of 5.1 (Medium) (VulnCheck).

The vulnerability exists due to insufficient sanitization and improper content-type validation of uploaded SVG files in the dashboard's Image Upload Gallery feature. An attacker can exploit this by uploading an SVG file containing malicious JavaScript code. The vulnerability has been classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v4.0 vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N (VulnCheck).

When exploited, the vulnerability allows the execution of malicious JavaScript code when the SVG file is rendered in the UI. This can lead to potential cross-site scripting attacks, which could compromise user sessions or perform unauthorized actions on behalf of users viewing the affected dashboard (VulnCheck).

The vulnerability has been fixed in ThingsBoard version 4.2.1. The fix includes adding Content-Security-Policy headers to the public image API to prevent malicious code injection. Users are advised to upgrade to version 4.2.1 or later to address this security issue (ThingsBoard Release, ThingsBoard PR).