CVE-2025-64711
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-13

Last updated on: 2025-11-25

Assigner: GitHub, Inc.

Description
PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on PrivateBin will execute arbitrary JavaScript within their own session (self-XSS). This allows an attacker who can entice a victim to drag or otherwise attach such a file to exfiltrate plaintext, encryption keys, or stored pastes before they are encrypted or sent. Certain conditions must exist for the vulnerability to be exploitable. Only macOS or Linux users are affected, due to the way the `>` character is treated in a file name on Windows. The PrivateBin instance needs to have file upload enabled. An attacker needs to have access to the local file system or somehow convince the user to create (or download) a malicious file (name). An attacker needs to convince the user to attach that malicious file to PrivateBin. Any Mac / Linux user who can be tricked into dragging a maliciously named file into the editor is impacted; code runs in the origin of the PrivateBin instance they are using. Attackers can steal plaintext, passphrases, or manipulate the UI before data is encrypted, defeating the zero-knowledge guarantees for that victim session, assuming counter-measures like Content-Security-Policy (CSP) have been disabled. If CSP is not disabled, HTML injection attacks may be possible - like redirecting to a foreign website, phishing etc. As the whole exploit needs to be included in the file name of the attached file and only affects the local session of the user (aka it is neither persistent nor remotely executable) and that user needs to interact and actively attach that file to the paste, the impact is considered to be practically low. Version 2.0.3 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-13
Last Modified
2025-11-25
Generated
2026-05-07
AI Q&A
2025-11-13
EPSS Evaluated
2026-05-05
NVD
CVE-2025-64711
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
privatebin privatebin From 1.7.7 (inc) to 2.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in PrivateBin versions 1.7.7 up to 2.0.3 involves the drag-and-drop feature for files with filenames containing HTML. When a user drags such a file into the editor, the filename is reflected verbatim into the page, allowing arbitrary JavaScript to execute within the user's session (self-XSS). This can lead to attackers stealing plaintext, encryption keys, or stored pastes before encryption or sending. The exploit requires the user to actively drag or attach a maliciously named file, affects only macOS or Linux users, and depends on file upload being enabled on the PrivateBin instance. The vulnerability is patched in version 2.0.3.


How can this vulnerability impact me? :

If exploited, this vulnerability can allow an attacker to execute arbitrary JavaScript in the victim's session, potentially stealing plaintext data, encryption keys, or stored pastes before they are encrypted or sent. It can also allow manipulation of the user interface to deceive the user. However, the attack requires user interaction (dragging or attaching a malicious file), affects only macOS or Linux users, and only if file upload is enabled. The overall practical impact is considered low.


What immediate steps should I take to mitigate this vulnerability?

Upgrade PrivateBin to version 2.0.3 or later, as this version patches the vulnerability. Additionally, ensure that Content-Security-Policy (CSP) is enabled to help prevent HTML injection attacks. Disable file upload functionality if it is not needed to reduce exposure. Educate users, especially macOS and Linux users, to avoid dragging or attaching files with suspicious or HTML-containing filenames to PrivateBin.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart