Cyber Resilience

CVE-2024-57407

High

Published: 10 February 2025

Published
10 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0030 53.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57407 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Gitee (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-57407 is an arbitrary file upload vulnerability in the /userPicture component of Timo v2.0.3. Published on 2025-02-10, it allows attackers to execute arbitrary code by uploading a crafted file and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.

The attack scenario requires an attacker to have low privileges, such as an authenticated user, along with network access and user interaction to trigger the upload. By exploiting the /userPicture endpoint with a malicious file, the attacker can achieve arbitrary code execution on the server, compromising data confidentiality and integrity without affecting availability.

Advisories and further details on mitigation are provided in the following references: https://gist.github.com/kaoniniang2/71f6a39535490ea2eeac371f33faec9c and https://gitee.com/aun/Timo/issues/IBBTZI.

EU & UK References

Vulnerability details

An arbitrary file upload vulnerability in the component /userPicture of Timo v2.0.3 allows attackers to execute arbitrary code via uploading a crafted file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload (CWE-434) in a web app endpoint directly enables web shell deployment for RCE (T1505.003) and exploitation of the application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434
CVE-2025-32957Shared CWE-434

Affected Assets

Gitee
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents arbitrary file upload exploits by requiring validation of uploaded file content, type, and format to block crafted malicious files in the /userPicture component.

prevent

SI-9 enforces strict restrictions on allowable file types, extensions, and sizes for uploads to the /userPicture endpoint, mitigating unrestricted upload of dangerous files leading to code execution.

prevent

SI-2 requires identification, reporting, and timely remediation of the specific flaw in Timo v2.0.3's /userPicture component, eliminating the vulnerability at its source.

References