CVE-2025-0529
Published: 17 January 2025
Summary
CVE-2025-0529 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Fabian Train Ticket Reservation System. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates username inputs in the login form to prevent stack-based buffer overflows from improper restriction of operations within memory bounds.
Implements memory safeguards like stack canaries and DEP to protect against exploitation of the stack-based buffer overflow in the login component.
Requires timely identification, reporting, and correction of the specific buffer overflow flaw in the Train Ticket Reservation System login form.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in login form enables local exploitation for arbitrary code execution and privilege escalation if run with elevated privileges.
NVD Description
A vulnerability, which was classified as critical, was found in code-projects Train Ticket Reservation System 1.0. This affects an unknown part of the component Login Form. The manipulation of the argument username leads to stack-based buffer overflow. Attacking locally is…
more
a requirement. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-0529 is a critical stack-based buffer overflow vulnerability in code-projects Train Ticket Reservation System 1.0, specifically affecting an unknown part of the Login Form component. The issue arises from manipulation of the username argument, as identified under CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write). It received a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-17.
Exploitation requires local access with low privileges and low attack complexity, with no user interaction needed. A local attacker could manipulate the username input during login to trigger the buffer overflow, potentially leading to limited impacts on confidentiality, integrity, and availability, such as partial data exposure, modification, or denial of service.
Advisories from VulDB (ctiid.292413, id.292413, submit.478447) document the vulnerability, while a GitHub Gist provides a publicly disclosed exploit. The original project page at code-projects.org hosts the affected Train Ticket Reservation System 1.0 source code. No patches or specific mitigations are detailed in the available references.
The exploit has been publicly disclosed and may be used by attackers, though no real-world exploitation in the wild is noted.
Details
- CWE(s)