Cyber Resilience

CVE-2025-24888

High

Published: 13 February 2025

Published
13 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0307 87.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24888 is a high-severity Path Traversal (CWE-22) vulnerability in Qubes Os (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 13.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a path traversal flaw (CWE-22) in the SecureDrop Client desktop application prior to version 0.14.1. It affects the reply-download logic running inside the dedicated `sd-app` Qubes VM of the SecureDrop Workstation. The client obtains the reply filename directly from the `Content-Disposition` header returned by the SecureDrop Server and writes the encrypted file to disk before any subsequent sanitization or `safe_move()` check occurs, allowing an attacker-controlled path to be used for the initial write.

A previously compromised SecureDrop Server can therefore supply a crafted filename that causes the client to drop an autostart `.desktop` file into `/home/user/.config/autostart/`, achieving code execution inside the `sd-app` VM. The attack cannot be performed by an unprivileged source or external party because the server must already be under attacker control and the files are end-to-end encrypted; the CVSS 8.1 score reflects the high impact once that prerequisite is met.

The official fix is included in SecureDrop Client 0.14.1; the corresponding patch revises filename handling in the download path (see the referenced commit and GHSA-6c3p-chq6-q3j2 advisory). No other mitigation steps are documented beyond upgrading the client.

No evidence of in-the-wild exploitation has been reported. The EPSS score rose materially from a low baseline to a peak of 0.0682 on 2026-03-24 before receding, indicating increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

The SecureDrop Client is a desktop application for journalists to communicate with sources and work with submissions on the SecureDrop Workstation. Prior to version 0.14.1, a malicious SecureDrop Server could obtain code execution on the SecureDrop Client virtual machine (`sd-app`).…

more

SecureDrop Server itself has multiple layers of built-in hardening, and is a dedicated physical machine exposed on the internet only via Tor hidden services for the Source and Journalist interfaces, and optionally via remote SSH access over another Tor hidden service. A newsroom's SecureDrop Workstation communicates only with its own dedicated SecureDrop Server. The SecureDrop Client runs in a dedicated Qubes virtual machine, named `sd-app`, as part of the SecureDrop Workstation. The private OpenPGP key used to decrypt submissions and replies is stored in a separate virtual machine and never accessed directly. The vulnerability lies in the code responsible for downloading replies. The filename of the reply is obtained from the `Content-Disposition` HTTP header and used to write the encrypted reply on disk. Note that filenames are generated and sanitized server-side, and files are downloaded in an encrypted format, so a remote attacker who has not achieved server compromise, such as one posing as a source, could not craft the HTTP response necessary for this attack. While the filename is later checked to guard against path traversal before being moved into the Client’s data storage directory, the file has already been written to a potentially arbitrary location. In this case, `safe_move()` would detect the path traversal and fail, leaving the original downloaded file in the attacker-chosen directory. Code execution can be gained by writing an autostart file in `/home/user/.config/autostart/`. Version 0.14.1 fixes the issue. As of time of publication, there is no known evidence of exploitation in the wild. This attack requires a previously compromised SecureDrop Server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1547.013 XDG Autostart Entries Persistence
Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login.
Why these techniques?

Path traversal in client download enables arbitrary file write to autostart directory for execution (T1547.013) and directly supports exploitation of client application vulnerability for RCE (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22871Shared CWE-22
CVE-2026-4092Shared CWE-22
CVE-2025-67030Shared CWE-22
CVE-2026-30283Shared CWE-22
CVE-2016-20048Shared CWE-22
CVE-2026-40491Shared CWE-22
CVE-2026-30279Shared CWE-22
CVE-2026-28373Shared CWE-22
CVE-2024-12087Shared CWE-22
CVE-2026-25635Shared CWE-22

Affected Assets

Qubes Os
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal by validating filenames from the Content-Disposition header before writing encrypted reply files to disk in the SecureDrop Client.

prevent

Mitigates the vulnerability through timely patching to SecureDrop Client version 0.14.1, which fixes the unsafe initial file write before path validation.

detect

Identifies path traversal vulnerabilities like CVE-2025-24888 in the SecureDrop Client reply download functionality through regular scanning.

References