Improper Access Controls in mannaandpoem OpenManus File Handler
CVE-2025-2954

4.8MEDIUM

Key Information:

Vendor
Mannaandpoem
Status
Openmanus
Vendor
CVE Published:
30 March 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability has been identified in the file handler component of OpenManus by mannaandpoem, specifically within the execute function of app/tool/file_saver.py. This vulnerability allows for improper access control, enabling local users to potentially manipulate files without appropriate permissions. This flaw emphasizes the critical need for robust access control measures and highlights the importance of vigilant software updates. Although the vendor was notified of this vulnerability, no response was recorded, raising concerns about the handling of security issues within this software.

Affected Version(s)

OpenManus 2025.3.0

OpenManus 2025.3.1

OpenManus 2025.3.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-2954 - Proof of Concept

References

https://vuldb.com/?id.302007
vdb-entrytechnical-description
https://vuldb.com/?ctiid.302007
signaturepermissions-required
https://vuldb.com/?submit.521545
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

s0l42 (VulDB User)
.