CVE-2025-30219: RabbitMQ Vulnerability Leads to Arbitrary JavaScript Code Execution in Management UI

Summary: RabbitMQ, a popular messaging and streaming broker used in various applications and services, has been found vulnerable to a sophisticated attack in versions prior to 4..3. This attack, which may lead to manipulation of virtual host names and other on-disk files, may result in arbitrary JavaScript code execution in the browsers of affected management UI users.

Body

RabbitMQ is a widely-used, high-performance message broker that facilitates communication between different services or applications by managing queues of messages. It plays a crucial role in many software architectures and is often deployed in diverse environments, from cloud-based systems to on-premises servers. However, RabbitMQ has been identified as having a security vulnerability (CVE-2025-30219) in versions prior to 4..3 that can lead to potential attacks and compromises.

The core of the issue lies in the handling of virtual host names by the RabbitMQ management UI. Virtual host names, which serve as logical containers for different applications and queues within the same RabbitMQ node, are typically displayed in the management UI when an error occurs or when a virtual host fails to start. In affected versions of RabbitMQ, the virtual host name in these error messages was not properly escaped, leaving it vulnerable to an XSS (cross-site scripting) attack.

A potential attack scenario involves a malicious user modifying a virtual host name on disk to include JavaScript code, then orchestrating a situation where the virtual host fails to start. When the error message is then displayed in the management UI, the JavaScript code in the virtual host name could be executed in the browsers of users accessing the management UI.

To fully understand the intricacies of the vulnerability, consider the following code snippet

VirtualHost newVirtualHost = new VirtualHost("<script>alert('XSS');</script>");

rabbitMQServer.addVirtualHost(newVirtualHost);

rabbitMQServer.failVirtualHost(newVirtualHost);

This code showcase a RabbitMQ virtual host being created with a name containing JavaScript code. Once the virtual host is added and then failed, the management UI displays an error message containing the virtual host name, which may lead to arbitrary JavaScript execution in a user's browser.

To address this vulnerability, the % character is now escaped in virtual host names. The latest patched versions of RabbitMQ, which include open source RabbitMQ 4..3, Tanzu RabbitMQ 4..3, and Tanzu RabbitMQ 3.13.8, automatically implement this security fix.

It is highly recommended to upgrade to the latest RabbitMQ versions to mitigate this vulnerability. Additional information can be found in the official RabbitMQ release notes for 4..3 and 3.13.8.

While this vulnerability may seem initially complex, awareness and understanding of the potential attack vectors can help developers and operators better secure their RabbitMQ installations. Acting quickly to address this issue and reviewing the security implications of other parts of your application or system will help to maintain the integrity and safety of users and their data.

Timeline

Published on: 03/25/2025 23:15:36 UTC
Last modified on: 03/27/2025 16:45:46 UTC