Path Traversal Vulnerability in Dumb Drop File Upload Application
CVE-2025-24891

9.7CRITICAL

Key Information:

Vendor

Dumbwareio

Status
Dumbdrop
Vendor
CVE Published:
31 January 2025

What is CVE-2025-24891?

CVE-2025-24891 is a path traversal vulnerability discovered in the Dumb Drop file upload application developed by DumbWare. This application is designed to facilitate file uploads by users who possess the necessary permissions. The vulnerability allows these users to manipulate file paths and overwrite arbitrary system files without proper authentication, as the application operates with root privileges by default. Such a security flaw poses a substantial threat to organizations, as it could lead to unauthorized alterations of critical files, potentially injecting malicious code into the system.

Technical Details

The vulnerability arises from improper validation of file paths during the upload process. Attackers can exploit this weakness by leveraging crafted file names to access and overwrite files outside the intended directories. Since the application does not require authentication for execution, even users with minimal permissions can execute attacks, in some cases, gaining root access to the entirety of the system. This could facilitate further exploitation, such as executing malicious scripts or compromising system integrity.

Potential impact of CVE-2025-24891

  1. Unauthorized File Overwrite: Attackers could overwrite sensitive system files, which may disrupt critical services or lead to system instability.

  2. Remote Code Execution: The ability to inject payloads into key system files can allow malicious actors to execute arbitrary code, potentially leading to full system compromise.

  3. Escalation of Privileges: Unauthenticated users gaining root access could result in a complete takeover of the affected system, enabling further attacks on the network or infrastructure.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

DumbDrop = sha256:bd110df9fcab4fb9c384c245345b7dd34e52d2cabc3cda9bfbbbc5ffb0606d97

References

https://github.com/DumbWareio/DumbDrop/security/advisorie...
x_refsource_CONFIRM
https://github.com/DumbWareio/DumbDrop/commit/cb586316648...
x_refsource_MISC

CVSS V3.1

Score:
9.7
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

JSON
.