CVE-2025-66908
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-66908, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-19

Last updated on: 2025-12-19

Assigner: MITRE

Description

Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an improper file type validation vulnerability in the OCR image upload functionality. The OcrController in turms-ai-serving/src/main/java/im/turms/ai/domain/ocr/controller/OcrController.java uses the @FormData(contentType = MediaTypeConst.IMAGE) annotation to restrict uploads to image files, but this constraint is not properly enforced. The system relies solely on client-provided Content-Type headers and file extensions without validating actual file content using magic bytes (file signatures). An attacker can upload arbitrary file types including executables, scripts, HTML, or web shells by setting the Content-Type header to "image/*" or using an image file extension. This bypass enables potential server-side code execution, stored XSS, or information disclosure depending on how uploaded files are processed and served.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-19
Last Modified
2025-12-19
Generated
2026-07-06
AI Q&A
2025-12-19
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
turms-im turms 0.10.0-snapshot

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Turms AI-Serving module (v0.10.0-SNAPSHOT and earlier) where the OCR image upload functionality improperly validates file types. Although the system attempts to restrict uploads to image files using the @FormData(contentType = MediaTypeConst.IMAGE) annotation, it only checks client-provided Content-Type headers and file extensions without verifying the actual file content via magic bytes (file signatures). This flaw allows an attacker to upload arbitrary file types such as executables, scripts, HTML, or web shells by spoofing the Content-Type header or using an image file extension, bypassing the intended restrictions. [3]

Impact Analysis

The vulnerability can lead to serious security impacts including potential server-side code execution, stored cross-site scripting (XSS), or information disclosure. Since attackers can upload malicious files disguised as images, they may execute unauthorized code on the server or deliver malicious scripts to users, compromising system integrity and confidentiality. [3]

Mitigation Strategies

To mitigate this vulnerability, you should implement proper server-side validation of uploaded files by verifying the actual file content using magic bytes (file signatures) instead of relying solely on client-provided Content-Type headers and file extensions. Additionally, restrict or sanitize uploads to prevent arbitrary file types, and consider applying patches or updates if available for the Turms AI-Serving module. [2]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66908. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart