Cyber Resilience

CVE-2022-48253

CriticalPublic PoC

Published: 11 January 2023

Published
11 January 2023
Modified
08 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3353 97.0th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-48253 is a critical-severity Path Traversal (CWE-22) vulnerability in Nazgul Nostromo. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Nostromo's nhttpd web server before version 2.1 contains a path traversal vulnerability (CWE-22) that is triggered when the homedirs configuration option is enabled. The flaw received a CVSS 3.1 score of 9.8, reflecting network-accessible, unauthenticated exploitation with full impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply crafted requests that traverse directories and ultimately execute arbitrary commands on the underlying server. The attack requires no user interaction and succeeds against any exposed instance using the affected homedirs setting.

The EPSS score reached a peak of 0.3353 with no material subsequent change, indicating moderate and stable exploitation interest following public disclosure. Public references describe proof-of-concept paths from directory traversal to remote code execution but provide no additional mitigation details beyond upgrading to Nostromo 2.1 or later.

EU & UK References

Vulnerability details

nhttpd in Nostromo before 2.1 is vulnerable to a path traversal that may allow an attacker to execute arbitrary commands on the remote server. The vulnerability occurs when the homedirs option is used.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nazgul
nostromo
≤ 2.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References