Cyber Resilience

CVE-2025-1025

High

Published: 05 February 2025

Published
05 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0596 90.9th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1025 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Snyk (inferred from references). Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Versions of the Cockpit content management system from cockpit-hq/cockpit prior to 2.4.1 contain an arbitrary file upload vulnerability tracked as CVE-2025-1025. The flaw, assigned CWE-434, allows an attacker to bypass the upload filter by supplying an alternate file extension, enabling the placement of arbitrary files on the server. The issue carries a CVSS 4.0 score of 7.7 reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated remote attacker can exploit the weakness to upload files that alter system integrity, potentially leading to unauthorized code deployment or configuration changes on the affected installation. The vulnerability exists in the file-handling logic that insufficiently validates extensions before storage.

Public references point to fixes merged in commits 984ef9ad270357b843af63c81db95178eae42cae and becca806c7071ecc732521bb5ad0bb9c64299592, with the Snyk advisory confirming that upgrading to version 2.4.1 addresses the bypass. The associated EPSS score remains low, moving only from 0.0596 to a peak of 0.0660.

EU & UK References

Vulnerability details

Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload in public-facing web app directly enables remote exploitation (T1190) and facilitates tool/web shell ingress for execution/persistence (T1105, T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-6207Shared CWE-434
CVE-2024-50620Shared CWE-434
CVE-2025-12171Shared CWE-434
CVE-2025-26325Shared CWE-434
CVE-2025-6079Shared CWE-434
CVE-2024-13448Shared CWE-434
CVE-2025-51056Shared CWE-434
CVE-2025-66256Shared CWE-434
CVE-2026-32523Shared CWE-434
CVE-2025-6423Shared CWE-434

Affected Assets

Snyk
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates arbitrary file upload by enforcing comprehensive input validation mechanisms to detect and block files bypassing extension-based filters.

prevent

Requires timely patching of the specific cockpit file upload vulnerability fixed in version 2.4.1 to eliminate the filter bypass.

prevent

Enforces restrictions on allowable file types and inputs at application boundaries to limit unrestricted uploads of dangerous files.

References