Path Traversal Vulnerability in SecureDrop Client by Freedom of the Press Foundation
CVE-2025-24889

4.5MEDIUM

Key Information:

Vendor: Freedomofpress
Status: Securedrop-client
Vendor: CVE Published:; 13 February 2025

🔔 Create Freedomofpress Vulnerability Alert

What is CVE-2025-24889?

The SecureDrop Client, utilized by journalists for secure communication, contains a vulnerability in its log file handling mechanism. Specifically, prior to versions 0.14.1 and 1.0.1, an attacker who has already gained access to a virtual machine within the SecureDrop Workstation can exploit this flaw to gain code execution in the isolated sd-log VM by submitting a malicious log entry. This exploitation is facilitated through unsanitized input from the logging VM, allowing an attacker to craft arbitrary VM names that can overwrite logs or write malicious content in critical directories. Though the vulnerability requires prior code execution on another VM, it poses a significant risk of lateral movement within the SecureDrop environment. The recent patches address these issues by sanitizing the VM name input to enhance overall security.

Affected Version(s)

securedrop-client < 0.14.1 < 0.14.1

securedrop-client = 1.0.0 = 1.0.0

References

https://github.com/freedomofpress/securedrop-client/secur...

x_refsource_CONFIRM

https://github.com/freedomofpress/securedrop-client/commi...

x_refsource_MISC

CVSS V3.1

Score:

4.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 13, 2025
Vulnerability Reserved
Jan 27, 2025

CVE-2025-24889 Data

JSON