CVE-2025-24891
Published: 31 January 2025
Description
Adversaries may transfer tools or other files from an external system into a compromised environment.
Security Summary
CVE-2025-24891 is a path traversal vulnerability (CWE-22, CWE-276) affecting Dumb Drop, a file upload application. Published on 2025-01-31, it enables users with permission to upload files to the service to overwrite arbitrary system files through improper path handling. The vulnerability carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, and potential for high impacts across confidentiality, integrity, and availability.
The attack scenario targets users able to interact with the upload functionality, which may include wholly unprivileged external attackers if the service runs without authentication enabled, or those possessing a PIN otherwise. Exploitation occurs over the network and requires user interaction, allowing attackers to leverage the default root privileges of the container to overwrite any system files without restriction. This can enable injection of malicious payloads into files executed on schedule or triggered by service actions, potentially granting full root access.
Mitigation details are provided in the Dumb Drop GitHub security advisory (GHSA-24f2-fv38-3274) and a related commit (cb586316648ccbfb21d27b84e90d72ccead9819d), which address the path traversal issue.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in public-facing file upload app allows arbitrary system file overwrites from network, directly enabling public app exploitation (T1190), root privilege escalation in container (T1068), and ingress of malicious payloads to arbitrary locations for later execution (T1105).