CVE-2025-24886
Published: 30 January 2025
Summary
CVE-2025-24886 is a high-severity UNIX Symbolic Link (Symlink) Following (CWE-61) vulnerability. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 45.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SC-4 (Information in Shared System Resources).
Deeper analysis
CVE-2025-24886 is a vulnerability in pwn.college, an educational platform for hands-on cybersecurity training, specifically affecting the dojo component. It stems from incorrect symlink checks on user-specified dojos, which enables local file inclusion (LFI) attacks from the CTFd container. The issue arises during repository cloning or updates, where a check for symlinks in the repository is performed but fails to prevent exploitation. Associated CWEs include CWE-61 (symbolic link following) and CWE-200 (exposure of sensitive information to an unauthorized actor), with a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
Any low-privileged user on the platform, without requiring admin rights, can exploit this vulnerability. An attacker crafts a malicious Git repository containing symlinks pointing to sensitive files, then clones or updates it via the platform. The flawed symlink validation allows these symlinks to resolve, enabling the attacker to retrieve the targeted sensitive files through the CTFd website interface. This results in high confidentiality impact across a changed scope.
Mitigation details are provided in the GitHub security advisory at https://github.com/pwncollege/dojo/security/advisories/GHSA-fcq8-jqq5-9xmh.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3973
Vulnerability details
pwn.college is an education platform to learn about, and practice, core cybersecurity concepts in a hands-on fashion. Incorrect symlink checks on user specified dojos allows for users (admin not required) to perform an LFI from the CTFd container. When a…
more
user clones or updates repositories, a check is performed to see if the repository had contained any symlinks. A malicious user could craft a repository with symlinks pointed to sensitive files and then retrieve them using the CTFd website.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The LFI via flawed symlink validation directly enables adversaries to retrieve arbitrary sensitive files from the local system (CTFd container/host), matching T1005 Data from Local System for collection of files of interest.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user-submitted Git repository contents to detect and block symlinks targeting sensitive files during cloning or updating, directly addressing the flawed symlink checks.
Prevents unauthorized information transfer via shared system resources such as symlinks, mitigating the LFI exploitation from the CTFd container.
Enforces least privilege on the CTFd container process, restricting access to sensitive files even if malicious symlinks resolve.