关键信息 漏洞名称: ThingsBoard < v4.2.1 SVG Image SSRF 严重性: MEDIUM 日期: October 17, 2025 影响版本: ThingsBoard < v4.2.1 CVE编号: CVE-2025-34282 CWE编号: CWE-918 Server-Side Request Forgery (SSRF) CVSS评分: 6.9 CVSS V4向量: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L 参考链接: - ThingsBoard Release Notes - ThingsBoard Patch PR 发现者: Tamil Mathi 描述: ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.