RomM 4.4.0 XSS + CSRF Chain Enables Admin Account Takeover (CVE‑2025‑65027)
What Happened — A chain of unrestricted file‑upload (XSS) and CSRF token‑reuse vulnerabilities (CVE‑2025‑65027) was disclosed for RomM < 4.4.1. An attacker with a low‑privilege “viewer” account can upload a malicious HTML avatar, then lure an admin to open it, forcing a password change and full account takeover.
Why It Matters for TPRM —
- Credential‑level compromise of a third‑party service can cascade to your environment.
- The flaw exploits trusted‑user functionality, highlighting the risk of over‑privileged integrations.
- Remediation may require patching, configuration changes, or replacing the vendor for critical workloads.
Who Is Affected — SaaS/self‑hosted media‑library platforms, gaming‑content providers, and any organization that integrates RomM for ROM management or internal media distribution.
Recommended Actions —
- Verify RomM version; upgrade to 4.4.1 or later immediately.
- Enforce least‑privilege for user roles; restrict “viewer” accounts from file uploads.
- Audit CSRF token handling and SameSite cookie settings.
- Review logs for suspicious avatar uploads or password‑change API calls.
Technical Notes — The attack requires an authenticated low‑privilege account, leverages an unrestricted avatar upload (XSS) to host a malicious HTML file, and reuses the victim’s CSRF token to bypass SameSite protection, culminating in a PUT /api/users/1 request that resets the admin password. No public CVE‑2025‑65027 exploit code is required beyond the posted PoC. Source: Exploit‑DB 52505