CVE-2025-27500

Name of the Vulnerable Software and Affected Versions OpenZiti versions prior to 3.7.1

Description The issue concerns an endpoint, "/api/upload", on the admin panel that can be accessed without authentication. This endpoint allows file uploads via HTTP POST, which are then stored on the node and accessible via URL. If a malicious file containing code is uploaded and accessed, it can lead to a stored cross-site scripting attack when executed within the user's browser context. The function is no longer necessary and has been disabled as the ziti-console transitions from a node server application to a single-page application.

Recommendations For versions prior to 3.7.1, update to version 3.7.1 to resolve the issue. As a temporary workaround, consider disabling access to the "/api/upload" endpoint until the update is applied.