CVE-2025-57292: 
NixOS vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in Todoist version 8484, specifically affecting the avatar upload functionality. The vulnerability was disclosed on September 26, 2025, and assigned identifier CVE-2025-57292. The issue stems from the application's failure to properly validate MIME types and sanitize image metadata during file uploads (NVD).

The vulnerability exists in the avatar upload feature where the application fails to properly validate MIME types and sanitize image metadata, particularly in PNG tEXt chunk Comment fields. The CVSS v3.1 base score is 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The attack involves creating a PNG image with malicious JavaScript code injected into the metadata using exiftool, then manipulating the Content-Type header during upload from image/png to text/html (Github POC).

When successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in users' browsers when the malicious image is rendered. This can lead to theft of sensitive information, session hijacking, and other client-side attacks in the context of the Todoist application (NVD).

The vulnerability affects Todoist version 8484. While specific patch information is not publicly available in the search results, general security best practices suggest implementing proper MIME type validation, sanitizing image metadata, and applying content security policies to prevent execution of injected scripts (NVD).