CVE-2025-24366
Published: 07 February 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-24366 is a vulnerability in SFTPGo, an open-source, event-driven file transfer solution. The issue arises from missing sanitization of client-provided arguments in the optional `rsync` command, which can be activated alongside default SSH commands. This command is disabled by default and limited to the local filesystem, excluding cloud or remote storage backends. It has been classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command).
An authenticated remote user with low privileges can exploit this vulnerability over the network by supplying specially crafted `rsync` options via SSH. Successful exploitation allows the attacker to read or write arbitrary files on the local filesystem with the permissions of the SFTPGo server process, potentially leading to unauthorized data access or modification. The CVSS v3.1 base score of 7.5 reflects high impact on confidentiality, integrity, and availability, though it requires high attack complexity.
The SFTPGo security advisory and commit fixing the issue recommend upgrading to version v2.6.5, which addresses the flaw by validating client-provided `rsync` arguments. No workarounds are available. Relevant resources include the GitHub security advisory at GHSA-vj7w-3m8c-6vpx and the patch commit b347ab6051f6c501da205c09315fe99cd1fa3ba1.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection (CWE-78) in public-facing SFTPGo SSH/rsync handler allows remote authenticated attackers to execute arbitrary commands and access files via crafted arguments.