CVE-2025-24372: CKAN has an XSS vector in user uploaded images in group/org and user profiles
Using a specially crafted file, a user could potentially upload a file containing code that when executed could send arbitrary requests to the server. If that file was opened by an administrator, it could lead to escalation of privileges of the original submitter or other malicious actions. Users must have been registered to the site to exploit this vulnerability.
References
- docs.ckan.org/en/latest/maintaining/configuration.html
- docs.ckan.org/en/latest/maintaining/configuration.html
- docs.ckan.org/en/latest/maintaining/configuration.html
- docs.ckan.org/en/latest/maintaining/configuration.html
- github.com/advisories/GHSA-7pq5-qcp6-mcww
- github.com/ckan/ckan
- github.com/ckan/ckan/commit/7da6a26c6183e0a97a356d1b1d2407f3ecc7b9c8
- github.com/ckan/ckan/commit/a4fc5e06634ed51d653ab819a7efc8e62f816f68
- github.com/ckan/ckan/security/advisories/GHSA-7pq5-qcp6-mcww
- nvd.nist.gov/vuln/detail/CVE-2025-24372
Detect and mitigate CVE-2025-24372 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →