Cyber Posture

CVE-2025-69288

CriticalPublic PoC

Published: 31 December 2025

Published
31 December 2025
Modified
13 January 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0105 77.6th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization,…

more

it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly addresses the improper input validation of timeEntryRule by requiring sanitization and validation before execution in NodeVM, preventing RCE.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates timely remediation of identified flaws, such as patching to Titra version 0.99.49 which fixes the unsanitized code execution.

CM-5 Access Restrictions for Change partial match
prevent

CM-5 restricts and authorizes changes to system data like timeEntryRule in the database, limiting admin modifications that could introduce malicious payloads.

Security SummaryAI

CVE-2025-69288 is a remote code execution vulnerability in Titra, an open source project time tracking software. In versions prior to 0.99.49, the application allows any authenticated Admin user to modify the timeEntryRule value directly in the database. This value is subsequently passed to a NodeVM context for execution as code without proper sanitization, enabling arbitrary code execution. The vulnerability is associated with CWE-20 (Improper Input Validation) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

An attacker with authenticated Admin privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a malicious timeEntryRule payload and updating it in the database, the attacker triggers execution within the NodeVM sandbox, achieving full remote code execution on the server. The changed scope (S:C) amplifies the impact, granting high confidentiality, integrity, and availability effects, potentially allowing server compromise.

Mitigation is addressed in Titra version 0.99.49, which fixes the issue by implementing proper sanitization or validation of the timeEntryRule before NodeVM execution. Security practitioners should upgrade to this version immediately. Relevant resources include the fixing commit at https://github.com/kromitgmbh/titra/commit/2e2ac5cbeed47a76720b21c7fde0214a242e065e, the release page at https://github.com/kromitgmbh/titra/releases/tag/0.99.49, and the GitHub security advisory at https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvr.

Details

CWE(s)
CWE-20NVD-CWE-noinfo

Affected Products

kromit
titra
≤ 0.99.49

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

The vulnerability is a remote code execution in a web-based application via unsanitized input to NodeVM (Node.js JS executor), directly enabling T1190 (Exploit Public-Facing Application) and facilitating T1059.007 (JavaScript) execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References