CVE-2025-66022

CVE-2025-66022 is a remote code execution (RCE) vulnerability in FACTION, a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, the extension execution path in Faction's extension framework allows untrusted extension code to execute arbitrary system commands on the server hosting Faction when a lifecycle hook is invoked. This flaw stems from improper authentication and access controls, specifically a missing authentication check on the /portal/AppStoreDashboard endpoint, which exposes the extension management UI.

Unauthenticated attackers can exploit this vulnerability over the network by accessing the unauthenticated endpoint to upload a malicious extension. Once uploaded, invoking a lifecycle hook triggers the execution of arbitrary system commands, achieving full RCE on the Faction host. The CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) reflects its high severity, with low attack complexity, no privileges required, user interaction needed, and changed scope impacting confidentiality, integrity, and availability. Associated CWEs include CWE-287 (Improper Authentication), CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), and CWE-862 (Missing Authorization).

The issue has been addressed in FACTION version 1.7.1, as detailed in the project's GitHub security advisory (GHSA-xr72-2g43-586w) and the patching commit (c6389f1c76175b7c1c68d1a87b389311b16c62c3). Security practitioners should upgrade to 1.7.1 or later and review access to extension management endpoints.