CVE-2025-68461
Cross-Site Scripting in Roundcube Webmail via SVG Animate Tag
Publication date: 2025-12-18
Last updated on: 2026-02-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roundcube | roundcube | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying malicious SVG files or payloads containing the <animate> tag with dangerous attributes such as 'xlink:href' containing JavaScript. You can scan your Roundcube Webmail installation files and user-uploaded SVG content for such patterns. For example, using grep to find suspicious SVG animate tags with JavaScript payloads: grep -r --include='*.svg' '<animate[^>]*xlink:href=["\']javascript:' /path/to/roundcube or user uploads. Additionally, monitoring HTTP traffic for SVG files containing <animate> tags with suspicious attributes can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Roundcube Webmail to version 1.5.12 or later, or 1.6.12 or later, where this vulnerability is fixed. The fix includes improved sanitization of SVG <animate> tags and blocking of dangerous attributes that could lead to XSS. If updating is not immediately possible, consider applying the patch from commit bfa0326 or disabling SVG animation support in your sanitizer configuration to prevent malicious SVG content from being processed. [1]
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Scripting (XSS) issue in Roundcube Webmail related to the handling of the SVG <animate> tag. Attackers could exploit the way SVG animation attributes are processed to inject malicious scripts. The vulnerability arises because certain SVG attributes like 'to', 'from', and 'attributeName' were not properly sanitized, allowing JavaScript payloads to be embedded and executed. The fix involved improving sanitization by normalizing attribute names and values, blocking dangerous SVG animate elements, and enhancing cleanup routines to prevent script injection via SVG animations. [1]
How can this vulnerability impact me? :
This XSS vulnerability can allow attackers to execute arbitrary scripts in the context of the victim's browser when they view malicious SVG content in Roundcube Webmail. This can lead to theft of sensitive information such as session cookies, user credentials, or other private data accessible through the webmail interface. It may also enable attackers to perform actions on behalf of the user without their consent, potentially compromising the security and privacy of the affected users. [1]