CVE-2019-25355
Published: 18 February 2026
Summary
CVE-2019-25355 is a high-severity Path Traversal (CWE-22) vulnerability in Genivia Gsoap. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25355 is a directory traversal vulnerability (CWE-22) affecting gSOAP 2.8, a toolkit for developing SOAP/XML web services. The flaw enables unauthenticated attackers to access system files through HTTP path traversal techniques in crafted GET requests containing multiple '../' sequences. For example, attackers can retrieve sensitive files such as /etc/passwd. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and low attack complexity.
Unauthenticated remote attackers can exploit this vulnerability over the network without privileges or user interaction. By sending specially crafted GET requests to a vulnerable gSOAP 2.8 instance, they can traverse directories and read arbitrary files on the server, potentially exposing sensitive configuration data, credentials, or user information.
Advisories and related resources include a proof-of-concept exploit on Exploit-DB (https://www.exploit-db.com/exploits/47653), the vendor's gSOAP product page (https://www.genivia.com/products.html#gsoap), the Genivia website (https://www.genivia.com/), and a VulnCheck advisory (https://www.vulncheck.com/advisories/genivia-gsoap-gsoap-path-traversal). These references provide further details on the issue, though specific patch information is not detailed in the CVE description.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19708
Vulnerability details
gSOAP 2.8 contains a directory traversal vulnerability that allows unauthenticated attackers to access system files by manipulating HTTP path traversal techniques. Attackers can retrieve sensitive files like /etc/passwd by sending crafted GET requests with multiple '../' directory traversal sequences.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in public-facing gSOAP web service directly enables remote exploitation of the application (T1190) and arbitrary local file reads such as /etc/passwd (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2019-25355 by identifying, prioritizing, and remediating the directory traversal flaw in gSOAP 2.8 through patching or upgrades.
Validates and sanitizes HTTP GET request paths to block malicious directory traversal sequences like multiple '../' before processing.
Enforces boundary protection at web service interfaces to monitor and block crafted HTTP requests exploiting path traversal.