CVE-2025-58351
BaseFortify
Publication date: 2025-09-03
Last updated on: 2025-10-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getoutline | outline | From 0.72.0 (inc) to 0.84.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58351 is a vulnerability in the Outline service versions 0.72.0 through 0.83.0, where a feature allowing local file system storage (FILE_STORAGE=local) introduced a Content Security Policy (CSP) bypass and Content-Type bypass. This allowed an attacker, in self-hosted deployments on the same domain as the Outline application, to upload malicious payloads as file attachments that could bypass CSP restrictions and execute scripts in the context of another user, potentially enabling further attacks. The vulnerability was fixed in version 0.84.0 by adding stricter CSP headers, including a sandbox directive on file responses. [2, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute malicious scripts within the context of another user by uploading malicious files that bypass CSP and Content-Type restrictions. This can lead to unauthorized access to sensitive data (high confidentiality impact), potentially compromising user data and session integrity. The attack requires some privileges and user interaction but can be exploited remotely, making it a moderate risk. It does not impact data integrity or availability directly but can facilitate further attacks. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, check if your Outline deployment is using versions between 0.72.0 and 0.83.0 with FILE_STORAGE=local enabled on the same domain as the Outline application. You can verify the version by running commands like `outline --version` or checking the deployed container/image tags. Additionally, monitor HTTP responses from the files.get endpoint to see if the Content-Security-Policy header with the 'sandbox' directive is present. For example, use curl: `curl -I https://your-outline-domain/api/files.get` and check for the header `Content-Security-Policy: sandbox`. Absence of this header indicates the vulnerability is likely present. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Outline to version 0.84.0 or later, where the vulnerability is fixed. If upgrading immediately is not possible, enforce the header `Content-Security-Policy: sandbox` on all responses from the files.get endpoint, for example by configuring a proxy in front of Outline to add this header. This sandbox directive restricts script execution and mitigates the CSP bypass vulnerability. [2, 3]