Cyber Resilience

CVE-2025-24886

High

Published: 30 January 2025

Published
30 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0023 45.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24886 is a high-severity UNIX Symbolic Link (Symlink) Following (CWE-61) vulnerability. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 45.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SC-4 (Information in Shared System Resources).

Deeper analysis

CVE-2025-24886 is a vulnerability in pwn.college, an educational platform for hands-on cybersecurity training, specifically affecting the dojo component. It stems from incorrect symlink checks on user-specified dojos, which enables local file inclusion (LFI) attacks from the CTFd container. The issue arises during repository cloning or updates, where a check for symlinks in the repository is performed but fails to prevent exploitation. Associated CWEs include CWE-61 (symbolic link following) and CWE-200 (exposure of sensitive information to an unauthorized actor), with a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

Any low-privileged user on the platform, without requiring admin rights, can exploit this vulnerability. An attacker crafts a malicious Git repository containing symlinks pointing to sensitive files, then clones or updates it via the platform. The flawed symlink validation allows these symlinks to resolve, enabling the attacker to retrieve the targeted sensitive files through the CTFd website interface. This results in high confidentiality impact across a changed scope.

Mitigation details are provided in the GitHub security advisory at https://github.com/pwncollege/dojo/security/advisories/GHSA-fcq8-jqq5-9xmh.

EU & UK References

Vulnerability details

pwn.college is an education platform to learn about, and practice, core cybersecurity concepts in a hands-on fashion. Incorrect symlink checks on user specified dojos allows for users (admin not required) to perform an LFI from the CTFd container. When a…

more

user clones or updates repositories, a check is performed to see if the repository had contained any symlinks. A malicious user could craft a repository with symlinks pointed to sensitive files and then retrieve them using the CTFd website.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

The LFI via flawed symlink validation directly enables adversaries to retrieve arbitrary sensitive files from the local system (CTFd container/host), matching T1005 Data from Local System for collection of files of interest.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4712Shared CWE-200
CVE-2025-55265Shared CWE-200
CVE-2026-6770Shared CWE-200
CVE-2025-30424Shared CWE-200
CVE-2026-39079Shared CWE-200
CVE-2025-24204Shared CWE-200
CVE-2025-24146Shared CWE-200
CVE-2026-0905Shared CWE-200
CVE-2025-24263Shared CWE-200
CVE-2026-22600Shared CWE-200

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-submitted Git repository contents to detect and block symlinks targeting sensitive files during cloning or updating, directly addressing the flawed symlink checks.

prevent

Prevents unauthorized information transfer via shared system resources such as symlinks, mitigating the LFI exploitation from the CTFd container.

prevent

Enforces least privilege on the CTFd container process, restricting access to sensitive files even if malicious symlinks resolve.

References