| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.8 | $0-$5k | 0.00 |
Summary
A vulnerability classified as critical was found in DumbWareio DumbDrop sha256bd110df9fcab4fb9c384c245345b7dd34e52d2cabc3cda9bfbbbc5ffb0606d97. This vulnerability affects unknown code. Such manipulation leads to path traversal. This vulnerability is listed as CVE-2025-24891. The attack may be performed from remote. There is no available exploit. It is advisable to implement a patch to correct this issue.
Details
A vulnerability was found in DumbWareio DumbDrop sha256bd110df9fcab4fb9c384c245345b7dd34e52d2cabc3cda9bfbbbc5ffb0606d97. It has been rated as critical. Affected by this issue is an unknown function. The manipulation with an unknown input leads to a path traversal vulnerability. Using CWE to declare the problem leads to CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Impacted is confidentiality, integrity, and availability. CVE summarizes:
Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as root by default, there is no limit to what can be overwritten. With this, it's possible to inject malicious payloads into files ran on schedule or upon certain service actions. As the service is not required to run with authentication enabled, this may permit wholly unprivileged users root access. Otherwise, anybody with a PIN.
The advisory is shared for download at github.com. This vulnerability is handled as CVE-2025-24891 since 01/27/2025. The exploitation is known to be easy. The attack may be launched remotely. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1006.
Applying the patch cb586316648ccbfb21d27b84e90d72ccead9819d is able to eliminate this problem. The bugfix is ready for download at github.com.
Once again VulDB remains the best source for vulnerability data.
Product
Vendor
Name
Version
License
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.9VulDB Meta Temp Score: 7.8
VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 9.6
CNA Vector (GitHub_M): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Path traversalCWE: CWE-22
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: cb586316648ccbfb21d27b84e90d72ccead9819d
Timeline
01/27/2025 🔍02/01/2025 🔍
02/01/2025 🔍
02/01/2025 🔍
Sources
Product: github.comAdvisory: GHSA-24f2-fv38-3274
Status: Confirmed
CVE: CVE-2025-24891 (🔍)
GCVE (CVE): GCVE-0-2025-24891
GCVE (VulDB): GCVE-100-294308
Entry
Created: 02/01/2025 04:18Changes: 02/01/2025 04:18 (66)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.