CVE-2025-59428
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-14

Last updated on: 2025-10-20

Assigner: GitHub, Inc.

Description
EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with Knowledge Base edit permissions can embed a malicious SVG element containing a link in the body field of an article. When an authenticated user clicks the malicious link, they are redirected to an attacker-controlled HTML page that executes a CSRF request against the api/v1/User endpoint. If the victim is prompted for and enters their credentials, an attacker-controlled account is created with privileges determined by the CSRF payload. This issue has been patched in version 9.1.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-14
Last Modified
2025-10-20
Generated
2026-06-16
AI Q&A
2025-10-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59428
EUVD
EUVD-2025-34207
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
espocrm espocrm to 9.1.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59428 is a vulnerability in EspoCRM versions before 9.1.9 that allows an attacker with Knowledge Base edit permissions to embed a malicious SVG element containing a link in an article's body field. When an authenticated user clicks this malicious SVG link, they are redirected to an attacker-controlled page that automatically sends a CSRF request to the EspoCRM user creation API endpoint. If the victim authenticates when prompted, the attacker can create arbitrary user accounts, including administrative ones, effectively escalating privileges and compromising the system. This happens due to a combination of stored SVG injection and lack of CSRF protection on the user creation API. [1]

Impact Analysis

This vulnerability can lead to arbitrary creation of user accounts with attacker-controlled attributes, including administrative privileges. If an administrator interacts with the malicious SVG content, the attacker can escalate privileges and fully compromise the EspoCRM system. This can result in unauthorized access, control over sensitive customer relationship management data, and potential further exploitation of the system. [1]

Detection Guidance

Detection can involve monitoring for suspicious SVG content in user-editable fields, especially looking for SVG <a> tags linking to external or attacker-controlled URLs. Additionally, network monitoring for POST requests to the /api/v1/User endpoint originating from user browsers after clicking suspicious links can help detect exploitation attempts. Commands to detect suspicious SVG content might include searching the database or files for SVG <a> tags, for example using grep: grep -r '<svg' /path/to/espocrm/data or grep -r '<a href=' /path/to/espocrm/data. Network traffic can be inspected using tools like tcpdump or Wireshark to filter POST requests to /api/v1/User. For example, using tcpdump: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep '/api/v1/User'. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading EspoCRM to version 9.1.9 or later where the vulnerability is patched. Additionally, sanitize and restrict SVG/HTML rendering in user-editable fields to prevent injection of malicious SVG content. Implement validation of Origin and Referer headers on requests to the /api/v1/User endpoint to prevent CSRF attacks. Applying Content Security Policy (CSP) to restrict administrative actions to trusted domains is also recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59428. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart