CVE-2025-0335
Published: 09 January 2025
Summary
CVE-2025-0335 is a medium-severity Improper Access Control (CWE-284) vulnerability in Fabian Online Bike Rental System. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates unrestricted file upload in the Change Image Handler by validating boundaries, structure, and content of uploaded files to reject dangerous types.
Restricts classes of information input to the system, such as limiting uploads to safe image file types and sizes, preventing exploitation of the vulnerable handler.
Enforces approved authorizations on the Change Image Handler to address improper access control (CWE-284), limiting low-privilege users from performing unrestricted uploads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public-facing web application enables exploitation of public-facing apps (T1190), deployment of web shells (T1100), and uploading tools (T1608.002).
NVD Description
A vulnerability was found in code-projects Online Bike Rental System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the component Change Image Handler. The manipulation leads to unrestricted upload. The attack may be launched…
more
remotely. The exploit has been disclosed to the public and may be used. Other endpoints might be affected as well.
Deeper analysisAI
CVE-2025-0335 is a critical vulnerability in code-projects Online Bike Rental System 1.0, affecting an unknown functionality within the Change Image Handler component. The issue enables unrestricted file upload through remote manipulation, with potential impacts on other endpoints as well. It is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An authenticated attacker with low privileges can exploit this vulnerability remotely with low complexity and no user interaction required. Exploitation leads to unrestricted file upload, resulting in low-level impacts on confidentiality, integrity, and availability.
Advisories from VulDB indicate the exploit has been publicly disclosed and is available for use, including a proof-of-concept on GitHub at https://github.com/Huandtx/cve/blob/main/cve/Online%20Bike%20Rental%20System/File_upload1.md. Additional references include the project site at https://code-projects.org/ and VulDB entries at https://vuldb.com/?ctiid.290822, https://vuldb.com/?id.290822, and https://vuldb.com/?submit.475365; no patches or specific mitigations are detailed in the provided information.
Details
- CWE(s)