CVE-2025-24962

CVE-2025-24962 is a command injection vulnerability (CWE-74) in reNgine, an automated reconnaissance framework for web applications. The flaw allows a user to inject arbitrary commands through the nmap_cmd parameters in affected versions prior to the fix in commit c28e5c8d. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with low complexity and privileges.

An authenticated user with low privileges can exploit this vulnerability over the network without user interaction by supplying malicious input via the nmap_cmd parameters. Successful exploitation enables arbitrary command execution on the host running reNgine, resulting in high impacts to confidentiality, integrity, and availability, such as data theft, system modification, or denial of service.

The issue has been addressed in GitHub commit c28e5c8d304478a787811580b4d80b330920ace4, with the fix expected in the next versioned release of reNgine. Security practitioners should update to the patched commit, implement input filtering for nmap_cmd and similar parameters, and monitor the project repository for the official release, as detailed in the GitHub security advisory GHSA-cg75-ph7x-5rr9.