ThingsBoard IoT Platform 4.2.0 SSRF Vulnerability (CVE‑2025‑34282) Exposes Internal Services
What Happened – A Server‑Side Request Forgery (SSRF) flaw (CVE‑2025‑34282) was discovered in ThingsBoard IoT Platform versions < 4.2.1. By uploading a crafted SVG through the Image Upload Gallery, an attacker can force the server to issue HTTP requests to arbitrary internal endpoints.
Why It Matters for TPRM –
- SSRF can be leveraged to pivot to internal APIs, databases, or metadata services that third‑party vendors host.
- Exploitation requires only a valid Tenant‑Admin bearer token, a credential often granted to partner integrations.
- Successful abuse may lead to data exfiltration, credential harvesting, or further lateral movement within a supply‑chain environment.
Who Is Affected – IoT platform providers, SaaS vendors, and any organization that integrates ThingsBoard for device telemetry, including manufacturing, smart‑city, energy, and logistics sectors.
Recommended Actions –
- Verify that all ThingsBoard deployments are upgraded to 4.2.1 or later.
- Review tenant‑admin token issuance policies; enforce least‑privilege and short‑lived tokens.
- Implement network‑level egress filtering to block outbound requests to internal IP ranges from the ThingsBoard application server.
- Conduct a targeted SSRF test on any custom widget or image‑upload functionality.
Technical Notes – The SSRF vector exploits the SVG <image xlink:href> attribute processed by the server‑side image parser. No public CVE‑linked patches existed before the 4.2.1 release. The vulnerability is classified under VULNERABILITY_EXPLOIT and can be triggered with a valid Tenant‑Admin bearer token. Source: Exploit‑DB 52551