CVE-2025-67438
Awaiting Analysis Awaiting Analysis - Queue
Stored XSS in Sync-in Server Allows Session Cookie Theft

Publication date: 2026-02-20

Last updated on: 2026-03-25

Assigner: MITRE

Description
A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information, including the user's session cookies.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67438
EUVD
EUVD-2025-207637
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sync-in sync-in_server to 1.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-67438 is a stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server versions before 1.9.3. It allows an authenticated attacker to upload a specially crafted SVG file containing malicious JavaScript code. When a victim accesses the raw SVG file URL, the embedded JavaScript executes in the victim's browser within the Sync-in domain context."}, {'type': 'paragraph', 'content': "This happens because the server's raw file viewer endpoint serves SVG content without proper sanitization, and the file upload functionality accepts SVG files without validation."}] [2]

Impact Analysis

[{'type': 'paragraph', 'content': "The vulnerability can lead to the execution of arbitrary JavaScript in a victim's browser, which can be used to steal sensitive information such as session cookies and CSRF tokens."}, {'type': 'paragraph', 'content': 'This information disclosure can enable attackers to hijack user sessions or escalate privileges, potentially compromising user accounts and sensitive data.'}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Sync-in Server instance is running a version prior to 1.9.3 and by identifying if malicious SVG files containing embedded JavaScript payloads have been uploaded.'}, {'type': 'paragraph', 'content': 'To detect potentially malicious SVG files, you can search the file storage or upload directories for SVG files and inspect them for embedded script tags or suspicious JavaScript code.'}, {'type': 'list_item', 'content': "Use command-line tools like grep to search for script tags inside SVG files, for example: grep -r '<script' /path/to/sync-in/uploads/"}, {'type': 'list_item', 'content': 'Check the Sync-in Server version by querying the application or inspecting the deployment to confirm if it is older than 1.9.3.'}, {'type': 'paragraph', 'content': 'Additionally, monitor network traffic for requests to raw SVG file URLs that might be accessed by users, which could indicate exploitation attempts.'}] [2]

Mitigation Strategies

The primary mitigation step is to upgrade the Sync-in Server to version 1.9.3 or later, where the vulnerability has been fixed.

The fix involves serving files with the HTTP header `Content-Disposition: attachment` to prevent execution of embedded JavaScript in SVG files.

Until the upgrade can be applied, restrict or disable the upload of SVG files or sanitize uploaded SVG files to remove any embedded scripts.

Also, review and monitor user uploads and raw file viewer endpoints to detect and block malicious payloads.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67438. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart