Key Information Vulnerability Name: ThingsBoard < v4.2.1 SVG Image SSRF Severity: MEDIUM Date: October 17, 2025 Affected Versions: ThingsBoard < v4.2.1 CVE ID: CVE-2025-34282 CWE ID: CWE-918 Server-Side Request Forgery (SSRF) CVSS Score: 6.9 CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L References: - ThingsBoard Release Notes - ThingsBoard Patch PR Discoverer: Tamil Mathi Description: ThingsBoard versions prior to v4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be exploited to access internal services or resources.