CVE-2025-1025
Published: 05 February 2025
Summary
CVE-2025-1025 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Snyk (inferred from references). Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Versions of the Cockpit content management system from cockpit-hq/cockpit prior to 2.4.1 contain an arbitrary file upload vulnerability tracked as CVE-2025-1025. The flaw, assigned CWE-434, allows an attacker to bypass the upload filter by supplying an alternate file extension, enabling the placement of arbitrary files on the server. The issue carries a CVSS 4.0 score of 7.7 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated remote attacker can exploit the weakness to upload files that alter system integrity, potentially leading to unauthorized code deployment or configuration changes on the affected installation. The vulnerability exists in the file-handling logic that insufficiently validates extensions before storage.
Public references point to fixes merged in commits 984ef9ad270357b843af63c81db95178eae42cae and becca806c7071ecc732521bb5ad0bb9c64299592, with the Snyk advisory confirming that upgrading to version 2.4.1 addresses the bypass. The associated EPSS score remains low, moving only from 0.0596 to a peak of 0.0660.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0244
Vulnerability details
Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing web app directly enables remote exploitation (T1190) and facilitates tool/web shell ingress for execution/persistence (T1105, T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates arbitrary file upload by enforcing comprehensive input validation mechanisms to detect and block files bypassing extension-based filters.
Requires timely patching of the specific cockpit file upload vulnerability fixed in version 2.4.1 to eliminate the filter bypass.
Enforces restrictions on allowable file types and inputs at application boundaries to limit unrestricted uploads of dangerous files.