CVE-2025-27092

CVE-2025-27092 is a path traversal vulnerability (CWE-22) affecting GHOSTS version 8.0.0.0, an open source user simulation framework developed for cyber experimentation, simulation, training, and exercise. The issue resides in the /api/npcs/{id}/photo endpoint, which serves profile photos for Non-Player Characters (NPCs) but fails to properly validate and sanitize file paths. Specifically, when an NPC is created with a specially crafted photoLink value containing path traversal sequences such as ../ or ..\, the application processes these without sanitization, enabling access to files outside the intended photo directory.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable remotely over the network with low complexity, no privileges or user interaction required, and high confidentiality impact. Any unauthenticated attacker with network access to the GHOSTS instance can exploit this by creating an NPC with a malicious photoLink and then requesting the photo endpoint, allowing them to read arbitrary files from the server's filesystem under the permissions of the web application process. This could expose sensitive data such as configuration files or credentials.

The vulnerability has been addressed in GHOSTS version 8.2.7.90, and all users are advised to upgrade immediately, as no workarounds are available. Details on the fix are provided in the GitHub commit e69827556a52ff813de00e1017c4b62598d2c887 and the security advisory at GHSA-qr67-m6w9-wj3j.