CVE-2025-52880 in komgainfo

Summary

by MITRE • 06/24/2025

Komga is a media server for comics, mangas, BDs, magazines and eBooks. A Cross-Site Scripting (XSS) vulnerability has been discovered in versions 1.8.0 through 1.21.3 when serving EPUB resources, either directly from the API, or when reading using the epub reader. The vulnerability lets an attacker perform actions on the victim's behalf. When targeting an admin user, this can be combined with controlling a server-side command to achieve arbitrary code execution. For this vulnerability to be exploited, a malicious EPUB file has to be present in a Komga library, and subsequently accessed in the Epub reader by an admin user. Version 1.22.0 contains a patch for the issue.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/25/2025

The vulnerability CVE-2025-52880 represents a critical cross-site scripting flaw in Komga media server versions 1.8.0 through 1.21.3 that specifically affects EPUB resource handling. This vulnerability operates at the application layer and exploits improper input validation when processing EPUB files, creating a pathway for malicious actors to inject malicious scripts into the web application's response. The flaw manifests when EPUB resources are either served directly through the API or accessed through the built-in EPUB reader functionality, making it particularly dangerous as it can be triggered through multiple attack vectors within the same application ecosystem.

The technical implementation of this vulnerability stems from insufficient sanitization of user-supplied EPUB metadata and content during processing. When an EPUB file is added to the Komga library, any embedded scripts or malicious content within the file's metadata or HTML content can be improperly rendered in the web interface without adequate output encoding or validation. This XSS vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws where web applications fail to properly validate or encode user-controllable data before including it in dynamically generated web pages. The vulnerability's exploitation requires a malicious EPUB file to be present in the library, which then must be accessed through the EPUB reader by an authenticated user, typically an administrator with elevated privileges.

The operational impact of this vulnerability extends beyond typical XSS consequences due to its potential for privilege escalation. When an administrator accesses a malicious EPUB file through the reader, the vulnerability can be leveraged to perform actions on behalf of the administrator user, potentially allowing for complete administrative control over the Komga server. The severity escalates significantly when combined with server-side command execution capabilities, as the attacker can chain this XSS vulnerability with command injection or other server-side flaws to achieve arbitrary code execution on the host system. This creates a complete compromise scenario where a simple file upload can result in full system takeover, making it particularly dangerous in environments where administrators regularly access user-uploaded content.

The exploitation pathway requires specific conditions to be met, including the presence of a malicious EPUB file within the Komga library and subsequent access by an administrator user through the EPUB reader interface. This dependency creates a realistic attack scenario where social engineering or compromised user accounts could facilitate exploitation. The vulnerability's patch in version 1.22.0 addresses the core issue through enhanced input validation and proper output encoding of EPUB content, implementing security controls that align with ATT&CK framework tactic T1566 which covers social engineering techniques and T1059 which covers command and scripting interpreter usage. Organizations should prioritize immediate patching of affected systems, implement content validation for uploaded EPUB files, and consider network segmentation to limit potential impact. The vulnerability highlights the importance of validating and sanitizing all user-supplied content, particularly in applications that serve rich media content, as demonstrated by the specific requirements for administrator access and the chaining potential with other server-side vulnerabilities.

Responsible

GitHub M

Reservation

06/20/2025

Disclosure

06/24/2025

Moderation

accepted

CPE

ready

EPSS

0.00278

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!