CVE-2025-24372

CVE-2025-24372 is a vulnerability in CKAN, an open-source data management system used for powering data hubs and portals. It allows a registered user to upload a specially crafted file containing code that, when executed, can send arbitrary requests to the server. If an administrator opens the file, this could lead to privilege escalation for the original submitter or other malicious actions. The issue affects CKAN versions prior to 2.10.7 and 2.11.2, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N) and is associated with CWE-79.

A registered user on the CKAN site can exploit this vulnerability over the network by uploading the malicious file. Exploitation requires low privileges (as a registered user) and low complexity, but depends on user interaction from an administrator who opens the file. Successful execution enables the code to send arbitrary requests from the server's context, potentially resulting in high-impact confidentiality and integrity violations, such as unauthorized access to sensitive data or modification of site resources, without affecting availability.

The vulnerability has been fixed in CKAN 2.10.7 and 2.11.2, and users are advised to upgrade. For versions prior to these releases, site maintainers can mitigate by restricting allowed file types using the configuration options `ckan.upload.user.mimetypes` / `ckan.upload.user.types` and `ckan.upload.group.mimetypes` / `ckan.upload.group.types`. File uploads can be entirely disabled with `ckan.upload.user.types = none`. Additional details are available in the CKAN documentation and the fixing commit at https://github.com/ckan/ckan/commit/7da6a26c6183e0a97a356d1b1d2407f3ecc7b9c8.