CVE-2025-34282: 
Wolfi vulnerability analysis and mitigation

ThingsBoard versions prior to 4.2.1 contain a server-side request forgery (SSRF) vulnerability identified as CVE-2025-34282. The vulnerability exists in the dashboard's Image Upload Gallery feature, where the system processes SVG files in a way that could allow unintended external references (VulnCheck Advisory).

The vulnerability is classified as CWE-918 (Server-Side Request Forgery) with a CVSS v4.0 base score of 6.9 (Medium). The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The vulnerability impacts system integrity and scope at a low level (VI:L, SI:L, SA:L) (VulnCheck Advisory).

When exploited, the vulnerability allows attackers to upload malicious SVG files that reference remote URLs. When the server processes these SVG files and parses external references, it may initiate unintended outbound requests. This can potentially be used to access internal services or resources within the target network (VulnCheck Advisory).

The vulnerability has been patched in ThingsBoard version 4.2.1. The fix includes adding Content-Security-Policy headers to the /public image API to prevent malicious code injection. Users are advised to upgrade to version 4.2.1 or later to address this security issue (ThingsBoard PR, ThingsBoard Release).