CVE-2025-64711: 
PHP vulnerability analysis and mitigation

PrivateBin, an online pastebin service, was found to be vulnerable to a self-XSS vulnerability (CVE-2025-64711) that affects versions 1.7.7 and later. The vulnerability was discovered on November 9, 2025, and publicly disclosed on November 12, 2025. The issue allows attackers to execute arbitrary JavaScript within a user's session through maliciously crafted filenames in the drag-and-drop file upload handler (GitHub Advisory, Miggo).

The vulnerability stems from improper handling of filenames during drag-and-drop operations. When a file is dropped, the readFileData function collects filenames and calls printDragAndDropFileNames, which insecurely renders user-submitted filenames as HTML using jQuery's .html() method instead of .text(). The vulnerability has a CVSS score of 3.9 (Low) with a vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. The issue is classified as CWE-79 (Cross-site Scripting) and only affects macOS and Linux users, as Windows prevents the use of special characters in filenames that are necessary for exploitation (GitHub Advisory).

The vulnerability allows attackers to steal plaintext, passphrases, or manipulate the UI before data encryption, potentially compromising the zero-knowledge guarantees for the victim's session. However, the impact is considered practically low as it requires user interaction, only affects the local session, and most PrivateBin instances use Content-Security-Policy headers that prevent most exploitation scenarios. If CSP is disabled, attackers could potentially redirect to foreign websites or conduct phishing attacks (GitHub Advisory).

The vulnerability has been patched in PrivateBin version 2.0.3. Users are strongly recommended to upgrade to this version. Alternative mitigations include updating the Content-Security-Policy in the configuration file to the latest recommended settings, deploying PrivateBin on a separate domain to limit the vulnerability scope, or disabling file attachments entirely. Users should verify their CSP settings independently, even after upgrading to a fixed version (GitHub Advisory).