Platform
php
Component
growatt-cloud-portal
Fixed in
3.6.0
CVE-2025-24297 describes a critical Cross-Site Scripting (XSS) vulnerability affecting the Growatt Cloud portal. This flaw arises from insufficient server-side input validation, enabling attackers to inject malicious JavaScript code into users' personal spaces within the portal. Versions 0.0 through 3.6.0 are vulnerable, and a patch is available in version 3.6.0.
Successful exploitation of CVE-2025-24297 allows an attacker to execute arbitrary JavaScript code within the context of a victim's Growatt Cloud portal session. This can lead to a wide range of malicious activities, including session hijacking, credential theft, and defacement of the user's personal space. Attackers could potentially gain access to sensitive data related to solar energy production and system configurations. The impact is particularly severe because the portal likely handles sensitive user information and control over connected devices.
CVE-2025-24297 was publicly disclosed on 2025-04-15. The CVSS score of 9.8 (CRITICAL) indicates a high probability of exploitation. No public proof-of-concept (PoC) code has been observed as of this writing, but the ease of XSS exploitation suggests that it is likely to be developed. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns targeting Growatt Cloud portal users.
Exploit Status
EPSS
0.37% (58% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-24297 is to immediately upgrade the Growatt Cloud portal to version 3.6.0 or later. If upgrading is not immediately feasible, consider implementing strict Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the sources from which scripts can be loaded. Additionally, carefully review and sanitize all user-supplied input before rendering it in the portal. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into a user's personal space and verifying that it is properly sanitized and does not execute.
Update the Growatt Cloud portal to version 3.6.0 or higher. This version includes server-side input validation to prevent the injection of malicious JavaScript code. See the release notes for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-24297 is a critical Cross-Site Scripting (XSS) vulnerability in Growatt Cloud portal versions 0.0 - 3.6.0, allowing attackers to inject malicious JavaScript code.
If you are using Growatt Cloud portal versions 0.0 through 3.6.0, you are potentially affected by this vulnerability.
Upgrade to Growatt Cloud portal version 3.6.0 or later to resolve this vulnerability. Implement CSP headers as a temporary workaround.
While no active exploitation has been confirmed, the high CVSS score suggests a high probability of exploitation. Monitor for any signs of attacks.
Refer to the official Growatt security advisory for detailed information and updates regarding CVE-2025-24297.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.