Snipe-IT Flaw Chained: XSS (CVE-2025-59712) to RCE (CVE-2025-59713) Achieves Full Server Compromise, PoC Released

Cybersecurity researchers at Synacktiv have uncovered two critical vulnerabilities in Snipe-IT, an open-source IT asset management system, that can be chained together to achieve remote code execution (RCE) on affected servers. The flaws, tracked as CVE-2025-59712 and CVE-2025-59713, affect all versions of Snipe-IT prior to 8.1.18.

Together, these vulnerabilities could allow a low-privileged user to completely compromise the Snipe-IT instance by exploiting a stored cross-site scripting (XSS) flaw and a deserialization vulnerability in the application’s backend.

According to Synacktiv’s report, “Two vulnerabilities in the Snipe-IT web application have been found, allowing a low-privileged user to perform remote code execution on the underlying server hosting the Snipe-IT instance by chaining the two vulnerabilities.”

The first issue, CVE-2025-59712, is a stored XSS vulnerability in the User-Agent field of an action log. The second, CVE-2025-59713, is an unsafe use of the PHP unserialize() function in the ActionlogsTransformer.php file, which can lead to arbitrary code execution when combined with the first flaw.

CVE-2025-59712 – Stored XSS in User-Agent Field

The first vulnerability lies in the User-Agent HTTP header that Snipe-IT logs whenever a user updates their profile information. When a user submits a request to /account/profile, their request headers are recorded in the system’s action logs.

However, Synacktiv explains that “the Snipe-IT web application does not sanitize the value of this header, leading to JavaScript injection.”

By crafting a malicious User-Agent string such as:

User-Agent: Mozilla/5.0<script>alert(1)</script>

an attacker with low-level credentials can embed arbitrary JavaScript code that executes when an administrator later reviews the activity logs at /reports/activity.

This stored XSS allows the attacker to execute scripts in the administrator’s browser, enabling them to trigger application actions, exfiltrate sensitive files, or even initiate system backups.

In a default Snipe-IT setup, these backups include critical data such as the .env configuration file—which contains secrets like the APP_KEY and database credentials—and an SQL dump of the database. Synacktiv warns that these can be exfiltrated via malicious JavaScript, saying the script could trigger a backup of the Snipe-IT web application and exfiltrate the resulting ZIP file containing sensitive information.

CVE-2025-59713 – RCE via Unserialize in ActionlogsTransformer.php

The second flaw, CVE-2025-59713, occurs due to unsafe deserialization in the ActionlogsTransformer.php file. When an administrator visits the activity report page or makes a request to /api/v1/reports/activity, the backend code attempts to decrypt and unserialize data from the log_meta field in the database.

Synacktiv’s researchers describe the problem as follows: “A call to the unserialize function in the Http/Transformers/ActionlogsTransformer.php file can allow an administrator user to perform code execution on the underlying server hosting the Snipe-IT instance.”

This logic is intended to process encrypted custom fields, but if a malicious actor manipulates the SQL data to contain serialized payloads, these will be executed when decrypted by Laravel’s cryptographic functions.

By creating a specially crafted backup file containing a malicious Laravel POP chain, an attacker can trigger RCE upon restoring the backup or when an admin loads the activity logs.

The Full Exploit Chain: From XSS to RCE

Synacktiv developed a proof-of-concept exploit that chains the XSS and deserialization vulnerabilities to gain full remote control over the Snipe-IT instance.

The attack proceeds in several stages:

1. The attacker logs in as a low-privileged user and updates their profile, injecting a malicious JavaScript payload in the User-Agent header.
2. When an administrator views the activity logs, the script executes in their browser and triggers a backup of the Snipe-IT instance.
3. The attacker’s script downloads the backup, extracts the .env file to obtain the APP_KEY, and uses it to encrypt a serialized PHP gadget chain using tools like phpggc and laravel-crypto-killer.
4. The script modifies the mysql-snipeit.sql file inside the backup to include the malicious chain.
5. It then uploads the tampered backup and restores it via the web interface.
6. Finally, when the admin visits /reports/activity, the malicious serialized payload is deserialized and executed, granting the attacker remote code execution as the web server user (www-data).

Synacktiv summarizes the process: “A low-privileged user can chain the XSS and deserialization vulnerabilities to obtain remote code execution on the Snipe-IT server.”

Their proof-of-concept script automates the full sequence and supports three modes:

• xss: Trigger only the stored XSS.
• rce: Trigger the deserialization attack directly (admin access required).
• fullchain: Perform the full attack from XSS to RCE.

Both vulnerabilities were fixed in Snipe-IT version 8.1.18, with individual commits addressing the issues:

• CVE-2025-59712 fixed in commit 8bc067b
• CVE-2025-59713 fixed in commit 8a682be

Related Posts:

• ScriptCase Flaws (CVE-2025-47227/47228): Pre-Auth RCE & Admin Takeover Risk for Web Servers, PoC Published
• PoC Exploit Releases for Linux Kernel Escalate Privileges Flaw (CVE-2023-35001)
• Laravel Flaw: Leaked APP_KEY Turns Into Remote Code Execution
• Sudo flaw lets attackers gain root privileges
• CVE-2024-43468 (CVSS 9.8): Microsoft Configuration Manager Exploit Revealed with PoC Code