CVE-2025-70084 in OpenSatKit
Summary
by MITRE • 02/11/2026
Directory traversal vulnerability in OpenSatKit 2.2.1 allows attackers to gain access to sensitive information or delete arbitrary files via crafted value to the FileUtil_GetFileInfo function.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/13/2026
The directory traversal vulnerability identified as CVE-2025-70084 affects OpenSatKit version 2.2.1 and represents a critical security flaw that enables unauthorized access to sensitive system resources. This vulnerability specifically targets the FileUtil_GetFileInfo function, which processes user-supplied input without proper validation or sanitization. The flaw allows attackers to manipulate file paths through crafted input parameters, potentially enabling them to traverse directories beyond the intended scope and access restricted files or execute destructive operations. Such vulnerabilities fall under the CWE-22 category, which specifically addresses improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks.
The technical implementation of this vulnerability exploits the lack of input validation within the FileUtil_GetFileInfo function, where user-provided data is directly incorporated into file system operations without adequate sanitization. Attackers can construct malicious input strings that contain sequences such as "../" or similar path manipulation patterns to navigate the file system hierarchy. When the application processes these inputs through the vulnerable function, it fails to properly validate or filter the path components, allowing the execution of unintended file operations. This vulnerability can be leveraged to access configuration files, source code repositories, database files, or other sensitive artifacts that should remain protected from unauthorized access. The operational impact extends beyond mere information disclosure to include potential file deletion capabilities, as indicated by the vulnerability description.
The security implications of CVE-2025-70084 align with the ATT&CK framework's T1083 (File and Directory Discovery) and T1490 (Inhibit System Recovery) techniques, demonstrating how attackers can systematically explore system resources and potentially disrupt operations through file manipulation. This vulnerability particularly affects systems running OpenSatKit 2.2.1 where file system access controls may not be sufficiently enforced. Organizations utilizing this software are at risk of data breaches, system compromise, and potential regulatory violations depending on the nature of the accessed information. The vulnerability's impact is amplified in environments where the application runs with elevated privileges or has access to sensitive data repositories.
Mitigation strategies for CVE-2025-70084 should include immediate patching of the OpenSatKit software to the latest version that addresses this vulnerability. System administrators should implement input validation measures that sanitize all user-supplied data before processing, particularly when dealing with file system operations. The implementation of proper path validation techniques, including canonicalization of file paths and rejection of suspicious path components, forms a critical defensive measure. Additionally, organizations should consider implementing principle of least privilege access controls, ensuring that applications have minimal required permissions and cannot traverse unnecessary directories. Network segmentation and monitoring solutions should be deployed to detect anomalous file access patterns that might indicate exploitation attempts. The vulnerability serves as a reminder of the importance of secure coding practices and proper input validation as outlined in OWASP Top Ten security principles, specifically addressing the prevention of path traversal attacks through proper application design and defensive programming techniques.