Vulnerability Description
Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an improper file type validation vulnerability in the OCR image upload functionality. The OcrController in turms-ai-serving/src/main/java/im/turms/ai/domain/ocr/controller/OcrController.java uses the @FormData(contentType = MediaTypeConst.IMAGE) annotation to restrict uploads to image files, but this constraint is not properly enforced. The system relies solely on client-provided Content-Type headers and file extensions without validating actual file content using magic bytes (file signatures). An attacker can upload arbitrary file types including executables, scripts, HTML, or web shells by setting the Content-Type header to "image/*" or using an image file extension. This bypass enables potential server-side code execution, stored XSS, or information disclosure depending on how uploaded files are processed and served.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Turms-Im | Turms | 0.10.0-snapshot |
Related Weaknesses (CWE)
References
- https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66908_report.mdExploitThird Party Advisory
- https://github.com/turms-im/turmsProduct
- https://github.com/turms-im/turms/blob/develop/turms-ai-serving/src/main/java/imProduct
- https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66908_report.mdExploitThird Party Advisory
FAQ
What is CVE-2025-66908?
CVE-2025-66908 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an improper file type validation vulnerability in the OCR image upload functionality. The OcrController in turms-ai-serving/src/main/java/...
How severe is CVE-2025-66908?
CVE-2025-66908 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-66908?
Check the references section above for vendor advisories and patch information. Affected products include: Turms-Im Turms.