CVE-2025-24366 in sftpgo
Summary
by MITRE • 02/08/2025
SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided `rsync` command, an authenticated remote user can use some options of the rsync command to read or write files with the permissions of the SFTPGo server process. This issue was fixed in version v2.6.5 by checking the client provided arguments. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/13/2025
The vulnerability identified as CVE-2025-24366 affects SFTPGo, an open source event-driven file transfer solution that provides secure file transfer capabilities through SSH protocols. This system supports execution of defined commands via SSH connections and includes optional command activation features, with rsync being one of the configurable options. The vulnerability arises from inadequate input validation within the rsync command execution mechanism, creating a critical security flaw that can be exploited by authenticated remote attackers. The rsync command functionality is disabled by default in SFTPGo's configuration but can be enabled by administrators, making it a potential attack vector when improperly configured.
The technical flaw stems from insufficient sanitization of client-provided arguments when executing rsync commands within the SFTPGo environment. When the rsync command is enabled, the system fails to properly validate or sanitize user input parameters, allowing maliciously crafted rsync options to be passed directly to the underlying system. This lack of input validation creates a path for privilege escalation attacks where authenticated users can leverage specific rsync command options to read or write files using the permissions of the SFTPGo server process. The vulnerability specifically targets the execution context where user-supplied rsync arguments are processed without adequate security checks, potentially allowing attackers to access sensitive files or modify system resources that should be restricted.
The operational impact of this vulnerability is significant as it allows authenticated remote users to perform unauthorized file operations with elevated privileges. Attackers can exploit this flaw to read sensitive files that are normally protected by the system's access controls, potentially accessing configuration files, user data, or system credentials. Additionally, the ability to write files with the server process permissions could enable attackers to modify system files, install malicious code, or establish persistence mechanisms within the affected environment. The vulnerability affects systems where rsync functionality has been enabled, making it particularly concerning for organizations that have configured this optional feature for legitimate administrative purposes.
This vulnerability aligns with CWE-74 and CWE-79 standards, representing a code injection flaw that occurs when user-supplied data is not properly validated or sanitized before being used in command execution contexts. The attack pattern follows ATT&CK technique T1059.008 for command and scripting interpreter, specifically focusing on the execution of commands through SSH sessions. The issue is particularly dangerous because it leverages legitimate system functionality to achieve unauthorized access, making detection more challenging. The fix implemented in SFTPGo version v2.6.5 addresses this by introducing proper argument validation and sanitization checks for client-provided rsync parameters, ensuring that only safe and expected arguments are processed by the system. Organizations should immediately upgrade to this patched version to mitigate the risk, as no effective workarounds exist for this particular vulnerability.