CVE-2025-1025

High

Published: 05 February 2025

Published

05 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0596 90.7th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1025 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Snyk (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates arbitrary file upload by enforcing comprehensive input validation mechanisms to detect and block files bypassing extension-based filters.

SI-2 Flaw Remediation good match

prevent

Requires timely patching of the specific cockpit file upload vulnerability fixed in version 2.4.1 to eliminate the filter bypass.

SI-9 Information Input Restrictions partial match

prevent

Enforces restrictions on allowable file types and inputs at application boundaries to limit unrestricted uploads of dangerous files.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Arbitrary file upload in public-facing web app directly enables remote exploitation (T1190) and facilitates tool/web shell ingress for execution/persistence (T1105, T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.

Deeper analysisAI

CVE-2025-1025 affects versions of the cockpit-hq/cockpit package prior to 2.4.1, enabling an arbitrary file upload vulnerability. Attackers can bypass the upload filter by using different file extensions, as detailed in the CVE description. This issue, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high severity due to its potential for integrity compromise without requiring authentication or user interaction.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity. By crafting a malicious file upload request that evades the extension-based filter, the attacker achieves arbitrary file upload on the server, leading to high integrity impact as reflected in the CVSS score. This could allow persistence, further compromise, or execution of uploaded malicious content depending on server configuration and file handling.

Mitigation involves updating to cockpit-hq/cockpit version 2.4.1 or later, where the vulnerability is addressed via patches in specific GitHub commits (984ef9ad270357b843af63c81db95178eae42cae and becca806c7071ecc732521bb5ad0bb9c64299592). Security advisories from sources like Snyk (SNYK-PHP-COCKPITHQCOCKPIT-8516320) and related gists confirm the fix and recommend applying these updates promptly to prevent exploitation.