CVE-2025-11607 in MoneyPrinterTurbo
Summary
by MITRE • 10/11/2025
A weakness has been identified in harry0703 MoneyPrinterTurbo up to 1.2.6. The impacted element is the function upload_music of the file app/controllers/v1/music.py of the component API Endpoint. Executing a manipulation of the argument File can lead to path traversal. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/25/2026
The vulnerability CVE-2025-11607 represents a critical path traversal flaw within the harry0703 MoneyPrinterTurbo application version 1.2.6 and earlier. This security weakness resides in the upload_music function located within the app/controllers/v1/music.py file, specifically within the API endpoint component that handles music file uploads. The vulnerability stems from inadequate input validation and sanitization of the File argument parameter, which allows attackers to manipulate file paths during the upload process. This flaw enables unauthorized access to the application's file system through crafted file names that contain directory traversal sequences such as ../ or ..\, potentially allowing attackers to write files to arbitrary locations on the server.
The technical implementation of this vulnerability follows the common pattern of path traversal attacks where user-controllable input directly influences file system operations without proper validation. When the upload_music function processes the File argument, it fails to properly sanitize or validate the file path supplied by the attacker, creating an opportunity for malicious actors to navigate the file system beyond the intended upload directory. This weakness directly maps to CWE-22, which categorizes path traversal vulnerabilities as a fundamental security flaw that allows attackers to access files and directories outside of the intended scope. The vulnerability's remote exploitability means that attackers can leverage this flaw from outside the local network without requiring physical access to the system, significantly expanding the attack surface.
The operational impact of this vulnerability extends beyond simple file access, as it could enable attackers to upload malicious files such as web shells or backdoors, potentially leading to complete system compromise. An attacker could leverage this vulnerability to overwrite critical system files, inject malicious code into the application, or access sensitive data stored within the application's file system. The public availability of exploit code further amplifies the risk, as it reduces the barrier to entry for potential attackers and increases the likelihood of successful exploitation. Additionally, the vulnerability could be combined with other attack vectors to escalate privileges or move laterally within the network infrastructure, making it particularly dangerous in enterprise environments where the application may have elevated system permissions.
Organizations should implement immediate mitigations including input validation and sanitization of all file upload parameters, implementing proper file path normalization, and restricting file upload directories to prevent traversal beyond intended locations. The application should enforce strict file type validation and implement secure file naming conventions to prevent path manipulation. Network-level mitigations such as web application firewalls and access controls should be deployed to monitor and restrict file upload operations. Regular security assessments and code reviews should be conducted to identify similar vulnerabilities in other components of the application. The implementation of principle of least privilege for file system operations and regular security updates should be prioritized to reduce the attack surface. This vulnerability also highlights the importance of following secure coding practices and adhering to OWASP Top Ten security guidelines, particularly those related to file handling and input validation, to prevent similar issues from occurring in future development cycles.