CVE-2024-11629

High

Published: 12 February 2025

Published

12 February 2025

Modified

19 February 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

EPSS Score 0.0076 73.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11629 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Progress Telerik Document Processing Libraries. Its CVSS base score is 7.1 (High).

Operationally, ranked in the top 26.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely remediation through upgrading the Telerik Document Processing Libraries to version 2025.1.205 or later.

SI-10 Information Input Validation good match

prevent

Requires validation of file path inputs to the export function to block arbitrary paths and prevent unauthorized file content disclosure to RTF.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations in the application to restrict reading of arbitrary files, addressing the core access control failure in the vulnerable library.

NVD Description

In Progress® Telerik® Document Processing Libraries, versions prior to 2025 Q1 (2025.1.205), using .NET Standard 2.0, the contents of a file at an arbitrary path can be exported to RTF.

Deeper analysisAI

CVE-2024-11629 is a vulnerability in Progress Telerik Document Processing Libraries, specifically versions prior to 2025 Q1 (2025.1.205) that use .NET Standard 2.0. It enables the export of contents from a file at an arbitrary path into RTF format, classified under CWE-552 (Files or Directories Accessible to External Parties). The issue was published on 2025-02-12 and carries a CVSS 3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L).

An attacker requires low privileges (PR:L) to exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation allows reading the contents of arbitrary files by exporting them to RTF, resulting in high confidentiality impact (C:H) through unauthorized data disclosure, minor availability impact (A:L), and no integrity impact (I:N).

The official Telerik advisory provides details on mitigation in their knowledge base article at https://docs.telerik.com/devtools/document-processing/knowledge-base/kb-security-rtf-filecontent-export-cve-2024-11629. Upgrading to version 2025.1.205 or later resolves the issue in affected libraries.

Details

CWE(s): CWE-552

Affected Products

progress

telerik document processing libraries

≤ 2025.1.205

CVEs Like This One

CVE-2024-11343Same product: Progress Telerik Document Processing Libraries

CVE-2025-0556Same vendor: Progress

CVE-2025-2324Same vendor: Progress

CVE-2026-2699Same vendor: Progress

CVE-2024-56133Same vendor: Progress

CVE-2024-11626Same vendor: Progress

CVE-2026-4670Same vendor: Progress

CVE-2024-56132Same vendor: Progress

CVE-2024-56135Same vendor: Progress

CVE-2025-13447Same vendor: Progress

References

https://docs.telerik.com/devtools/document-processing/knowledge-base/kb-security-rtf-filecontent-export-cve-2024-11629
Vendor Advisory · security@progress.com