CVE-2025-24888

CVE-2025-24888 is a path traversal vulnerability (CWE-22) in the SecureDrop Client prior to version 0.14.1, a desktop application used by journalists to communicate with sources and handle submissions on the SecureDrop Workstation. The issue resides in the reply download functionality within the sd-app Qubes virtual machine, where the filename derived from the server's Content-Disposition HTTP header determines the initial write location for the encrypted reply file on disk. Although filenames are generated and sanitized server-side, a malicious server can specify a traversing path, and a subsequent safe_move() check fails to relocate the file, leaving it in the arbitrary location.

Exploitation requires an attacker to first compromise the target organization's SecureDrop Server, a dedicated physical machine hardened with multiple layers and exposed only via Tor hidden services (and optionally SSH). With server control, the attacker can craft a reply's HTTP response to write the encrypted file to a directory like /home/user/.config/autostart/, enabling autostart execution and remote code execution on the client sd-app VM. The private OpenPGP key remains isolated in a separate VM, and uncompromised remote attackers, such as fake sources, cannot trigger this due to encryption and sanitization.

Version 0.14.1 of the SecureDrop Client fixes the vulnerability. The GitHub security advisory (GHSA-6c3p-chq6-q3j2) and fixing commit (120bac14649db0bcf5f24f2eb82731c76843b1ba) detail the patch, which addresses the unsafe initial write before path validation.

As of publication on 2025-02-13, no evidence of real-world exploitation exists, and the high CVSS score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects the need for server compromise as a prerequisite.