{ "schema_version": "1.4.0", "id": "GHSA-wp68-xrfg-xvq4", "modified": "2025-02-05T21:28:44Z", "published": "2025-02-05T06:30:26Z", "aliases": [ "CVE-2025-1025" ], "summary": "Cockpit Arbitrary File Upload", "details": "Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" } ], "affected": [ { "package": { "ecosystem": "Packagist", "name": "cockpit-hq/cockpit" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.4.1" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1025" }, { "type": "WEB", "url": "https://github.com/Cockpit-HQ/Cockpit/commit/984ef9ad270357b843af63c81db95178eae42cae" }, { "type": "WEB", "url": "https://github.com/Cockpit-HQ/Cockpit/commit/becca806c7071ecc732521bb5ad0bb9c64299592" }, { "type": "WEB", "url": "https://gist.github.com/CHOOCS/fe1227443544d5d74c33982814f290af" }, { "type": "PACKAGE", "url": "https://github.com/Cockpit-HQ/Cockpit" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PHP-COCKPITHQCOCKPIT-8516320" } ], "database_specific": { "cwe_ids": [ "CWE-434" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-02-05T21:28:44Z", "nvd_published_at": "2025-02-05T05:15:10Z" } }