CVE-2025-12922
Published: 10 November 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-12922 is a path traversal vulnerability (CWE-22) affecting OpenClinica Community Edition versions up to 3.12.2 and 3.13. The issue resides in an unknown part of the file /ImportCRFData?action=confirm within the CRF Data Import component, where manipulation of the xml_file argument enables attackers to traverse paths outside the intended directory. The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-11-10.
The vulnerability can be exploited remotely by low-privileged users (PR:L) over the network with low attack complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized file access, modification, or disruption via path traversal in the CRF data import functionality.
Advisories from VulDB and security researcher disclosures on GitHub detail the issue but note that the vendor was contacted early without any response, indicating no official patches or mitigations are available. Proof-of-concept exploits, including raw requests, have been publicly released.
In notable context, the exploit has been made public and could be used against unpatched instances, increasing the risk for deployments of the affected OpenClinica versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in public-facing OpenClinica web app (T1190: Exploit Public-Facing Application) enables arbitrary file reads from local system (T1005: Data from Local System).