Command Injection Vulnerability in DreamFactory by DreamFactory Software
CVE-2025-13700

7.2HIGH

Key Information:

Vendor: Dreamfactory
Status: Dreamfactory
Vendor: CVE Published:; 23 December 2025

🔔 Create Dreamfactory Vulnerability Alert

What is CVE-2025-13700?

A command injection vulnerability exists within the saveZipFile method of DreamFactory, allowing remote attackers to execute arbitrary code. The flaw arises from inadequate validation of user input before it is utilized in a system call. Attackers can exploit this to run malicious code with the privileges of the service account, thereby compromising system integrity. Authentication is a prerequisite for exploiting this vulnerability, highlighting the importance of securing access to vulnerable installations.

Affected Version(s)

DreamFactory 7.0.0

References

https://www.zerodayinitiative.com/advisories/ZDI-25-1024/

x_research-advisory

https://github.com/dreamfactorysoftware/df-core/commit/40...

vendor-advisory

CVSS V3.0

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 23, 2025
Vulnerability Reserved
Nov 25, 2025

JSON