CVE-2025-24372
Published: 05 February 2025
Summary
CVE-2025-24372 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 44.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-24372 is a vulnerability in CKAN, an open-source data management system used for powering data hubs and portals. It allows a registered user to upload a specially crafted file containing code that, when executed, can send arbitrary requests to the server. If an administrator opens the file, this could lead to privilege escalation for the original submitter or other malicious actions. The issue affects CKAN versions prior to 2.10.7 and 2.11.2, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N) and is associated with CWE-79.
A registered user on the CKAN site can exploit this vulnerability over the network by uploading the malicious file. Exploitation requires low privileges (as a registered user) and low complexity, but depends on user interaction from an administrator who opens the file. Successful execution enables the code to send arbitrary requests from the server's context, potentially resulting in high-impact confidentiality and integrity violations, such as unauthorized access to sensitive data or modification of site resources, without affecting availability.
The vulnerability has been fixed in CKAN 2.10.7 and 2.11.2, and users are advised to upgrade. For versions prior to these releases, site maintainers can mitigate by restricting allowed file types using the configuration options `ckan.upload.user.mimetypes` / `ckan.upload.user.types` and `ckan.upload.group.mimetypes` / `ckan.upload.group.types`. File uploads can be entirely disabled with `ckan.upload.user.types = none`. Additional details are available in the CKAN documentation and the fixing commit at https://github.com/ckan/ckan/commit/7da6a26c6183e0a97a356d1b1d2407f3ecc7b9c8.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0234
Vulnerability details
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Using a specially crafted file, a user could potentially upload a file containing code that when executed could send arbitrary requests to the server. If…
more
that file was opened by an administrator, it could lead to escalation of privileges of the original submitter or other malicious actions. Users must have been registered to the site to exploit this vulnerability. This vulnerability has been fixed in CKAN 2.10.7 and 2.11.2. Users are advised to upgrade. On versions prior to CKAN 2.10.7 and 2.11.2, site maintainers can restrict the file types supported for uploading using the `ckan.upload.user.mimetypes` / `ckan.upload.user.types` and `ckan.upload.group.mimetypes` / `ckan.upload.group.types` config options. To entirely disable file uploads users can use: `ckan.upload.user.types = none`
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability description explicitly states it leads to privilege escalation when a low-privileged user uploads a crafted file that executes code upon administrator interaction, directly mapping to exploitation of a software vulnerability for higher privileges.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the vulnerability by requiring timely installation of vendor patches for CKAN versions 2.10.7 and 2.11.2.
Prevents exploitation by restricting upload of malicious file types using configuration options like ckan.upload.user.types as recommended by the vendor.
Enforces secure configuration settings such as disabling file uploads entirely with ckan.upload.user.types = none to eliminate the attack vector.