CVE-2025-24886
Published: 30 January 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-24886 is a vulnerability in pwn.college, an educational platform for hands-on cybersecurity training, specifically affecting the dojo component. It stems from incorrect symlink checks on user-specified dojos, which enables local file inclusion (LFI) attacks from the CTFd container. The issue arises during repository cloning or updates, where a check for symlinks in the repository is performed but fails to prevent exploitation. Associated CWEs include CWE-61 (symbolic link following) and CWE-200 (exposure of sensitive information to an unauthorized actor), with a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
Any low-privileged user on the platform, without requiring admin rights, can exploit this vulnerability. An attacker crafts a malicious Git repository containing symlinks pointing to sensitive files, then clones or updates it via the platform. The flawed symlink validation allows these symlinks to resolve, enabling the attacker to retrieve the targeted sensitive files through the CTFd website interface. This results in high confidentiality impact across a changed scope.
Mitigation details are provided in the GitHub security advisory at https://github.com/pwncollege/dojo/security/advisories/GHSA-fcq8-jqq5-9xmh.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The LFI via flawed symlink validation directly enables adversaries to retrieve arbitrary sensitive files from the local system (CTFd container/host), matching T1005 Data from Local System for collection of files of interest.