CVE-2025-58351
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-03

Last updated on: 2025-10-20

Assigner: GitHub, Inc.

Description
Outline is a service that allows for collaborative documentation. In versions 0.72.0 through 0.83.0, Outline introduced a feature which facilitates local file system storage capabilities as an optional file storage strategy. This feature allowed a CSP bypass as well as a ContentType bypass that might facilitate further attacks. In the case of self-hosting and using Outline FILE_STORAGE=local on the same domain as the Outline application, a malicious payload can be uploaded as a file attachment and bypass those CSP restrictions, allowing script execution within the context of another user. This is fixed in version 0.84.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-03
Last Modified
2025-10-20
Generated
2026-06-16
AI Q&A
2025-09-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58351
EUVD
EUVD-2025-26598
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getoutline outline From 0.72.0 (inc) to 0.84.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-58351 is a vulnerability in the Outline service versions 0.72.0 through 0.83.0, where a feature allowing local file system storage (FILE_STORAGE=local) introduced a Content Security Policy (CSP) bypass and Content-Type bypass. This allowed an attacker, in self-hosted deployments on the same domain as the Outline application, to upload malicious payloads as file attachments that could bypass CSP restrictions and execute scripts in the context of another user, potentially enabling further attacks. The vulnerability was fixed in version 0.84.0 by adding stricter CSP headers, including a sandbox directive on file responses. [2, 3]

Impact Analysis

This vulnerability can allow an attacker to execute malicious scripts within the context of another user by uploading malicious files that bypass CSP and Content-Type restrictions. This can lead to unauthorized access to sensitive data (high confidentiality impact), potentially compromising user data and session integrity. The attack requires some privileges and user interaction but can be exploited remotely, making it a moderate risk. It does not impact data integrity or availability directly but can facilitate further attacks. [2]

Detection Guidance

To detect this vulnerability, check if your Outline deployment is using versions between 0.72.0 and 0.83.0 with FILE_STORAGE=local enabled on the same domain as the Outline application. You can verify the version by running commands like `outline --version` or checking the deployed container/image tags. Additionally, monitor HTTP responses from the files.get endpoint to see if the Content-Security-Policy header with the 'sandbox' directive is present. For example, use curl: `curl -I https://your-outline-domain/api/files.get` and check for the header `Content-Security-Policy: sandbox`. Absence of this header indicates the vulnerability is likely present. [2, 3]

Mitigation Strategies

The immediate mitigation step is to upgrade Outline to version 0.84.0 or later, where the vulnerability is fixed. If upgrading immediately is not possible, enforce the header `Content-Security-Policy: sandbox` on all responses from the files.get endpoint, for example by configuring a proxy in front of Outline to add this header. This sandbox directive restricts script execution and mitigates the CSP bypass vulnerability. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58351. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart