Cyber Posture

CVE-2025-24971

N/A

Published: 04 February 2025

Published
04 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score N/A
EPSS Score 0.1026 93.2th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

Security Summary

CVE-2025-24971 is an OS Command Injection vulnerability (CWE-78) in the DumbDrop application, a simple file upload tool that provides a drag-and-drop interface for files. The flaw resides in the `/upload/init` endpoint and affects instances of DumbDrop where the Apprise Notification feature is enabled.

An attacker can exploit this vulnerability remotely to execute arbitrary operating system commands, potentially leading to full remote code execution on the affected server. Exploitation requires the Apprise Notification to be enabled, but no authentication is mentioned as a prerequisite, suggesting it may be accessible to unauthenticated users interacting with the upload endpoint.

The issue has been fixed in commit `4ff8469d69019d200046a67d326f51703bc4da63`, and all users are advised to apply the patch immediately. According to the GitHub security advisory (GHSA-rx8m-jqm7-vcgp), there are no known workarounds available.

Details

CWE(s)
CWE-78

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

OS command injection in public-facing web endpoint enables remote exploitation of the application (T1190) and direct execution of arbitrary OS commands via shell interpreters (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References