CVE-2025-30219 | RabbitMQ has XSS Vulnerability in an Error Message in Management UI

RabbitMQ is a messaging and streaming broker. Versions prior to 4.0.3 are vulnerable to a sophisticated attack that could modify virtual host name on disk and then make it unrecoverable (with other on disk file modifications) can lead to arbitrary JavaScript code execution in the browsers of management UI users. When a virtual host on a RabbitMQ node fails to start, recent versions will display an error message (a notification) in the management UI. The error message includes virtual host name, which was not escaped prior to open source RabbitMQ 4.0.3 and Tanzu RabbitMQ 4.0.3, 3.13.8. An attack that both makes a virtual host fail to start and creates a new virtual host name with an XSS code snippet or changes the name of an existing virtual host on disk could trigger arbitrary JavaScript code execution in the management UI (the user's browser). Open source RabbitMQ `4.0.3` and Tanzu RabbitMQ `4.0.3` and `3.13.8` patch the issue.

Published: 2025-03-25 Last update: 2026-04-15 Assigner: [email protected] Source: [email protected]
NVD Status:DeferredCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-30219 is rated Low Risk (26.5/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.02%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-30219

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-05-03 0.12% 0.02% -0.10%
2 2026-02-22 0.15% 0.12% -0.03%
3 2026-01-19 0.15%

Full EPSS history (9 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-30219

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.1 3.1 MEDIUM
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.
 0.8 4.7 [email protected]

Weakness enumeration for CVE-2025-30219

OS Trackers for CVE-2025-30219

vendor priority summary link
debian not yet assigned CVE-2025-30219 not yet assigned priority: Debian including 1 source packages (rabbitmq-server), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 3, open 2. https://security-tracker.debian.org/tracker/CVE-2025-30219
redhat medium https://access.redhat.com/security/cve/CVE-2025-30219
suse medium CVE-2025-30219 severity moderate: SUSE including 21 source package names (cloud-netconfig-azure-1.15-slfo.1.1_1.1, cloud-netconfig-ec2-1.15-slfo.1.1_1.1, …), 71 product×package rows across 31 product lines (Image SL-Micro-Azure, Image SL-Micro-BYOS-Azure, … (31 product lines)): Fixed 66, First Fixed 5. https://www.suse.com/security/cve/CVE-2025-30219/
ubuntu medium CVE-2025-30219 medium priority: Ubuntu including 1 source packages (rabbitmq-server), 7 status rows across 7 suites (bionic, focal, jammy, noble, oracular, upstream, xenial): released 5, not-affected 2. https://ubuntu.com/security/CVE-2025-30219

Affected software / configurations for CVE-2025-30219

Vendor Product Version Raw CPE
No affected products in dataset.

References for CVE-2025-30219

cvelogic Threat Intelligence