CVE-2025-24888
Published: 13 February 2025
Summary
CVE-2025-24888 is a high-severity Path Traversal (CWE-22) vulnerability in Qubes Os (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 13.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a path traversal flaw (CWE-22) in the SecureDrop Client desktop application prior to version 0.14.1. It affects the reply-download logic running inside the dedicated `sd-app` Qubes VM of the SecureDrop Workstation. The client obtains the reply filename directly from the `Content-Disposition` header returned by the SecureDrop Server and writes the encrypted file to disk before any subsequent sanitization or `safe_move()` check occurs, allowing an attacker-controlled path to be used for the initial write.
A previously compromised SecureDrop Server can therefore supply a crafted filename that causes the client to drop an autostart `.desktop` file into `/home/user/.config/autostart/`, achieving code execution inside the `sd-app` VM. The attack cannot be performed by an unprivileged source or external party because the server must already be under attacker control and the files are end-to-end encrypted; the CVSS 8.1 score reflects the high impact once that prerequisite is met.
The official fix is included in SecureDrop Client 0.14.1; the corresponding patch revises filename handling in the download path (see the referenced commit and GHSA-6c3p-chq6-q3j2 advisory). No other mitigation steps are documented beyond upgrading the client.
No evidence of in-the-wild exploitation has been reported. The EPSS score rose materially from a low baseline to a peak of 0.0682 on 2026-03-24 before receding, indicating increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3974
Vulnerability details
The SecureDrop Client is a desktop application for journalists to communicate with sources and work with submissions on the SecureDrop Workstation. Prior to version 0.14.1, a malicious SecureDrop Server could obtain code execution on the SecureDrop Client virtual machine (`sd-app`).…
more
SecureDrop Server itself has multiple layers of built-in hardening, and is a dedicated physical machine exposed on the internet only via Tor hidden services for the Source and Journalist interfaces, and optionally via remote SSH access over another Tor hidden service. A newsroom's SecureDrop Workstation communicates only with its own dedicated SecureDrop Server. The SecureDrop Client runs in a dedicated Qubes virtual machine, named `sd-app`, as part of the SecureDrop Workstation. The private OpenPGP key used to decrypt submissions and replies is stored in a separate virtual machine and never accessed directly. The vulnerability lies in the code responsible for downloading replies. The filename of the reply is obtained from the `Content-Disposition` HTTP header and used to write the encrypted reply on disk. Note that filenames are generated and sanitized server-side, and files are downloaded in an encrypted format, so a remote attacker who has not achieved server compromise, such as one posing as a source, could not craft the HTTP response necessary for this attack. While the filename is later checked to guard against path traversal before being moved into the Client’s data storage directory, the file has already been written to a potentially arbitrary location. In this case, `safe_move()` would detect the path traversal and fail, leaving the original downloaded file in the attacker-chosen directory. Code execution can be gained by writing an autostart file in `/home/user/.config/autostart/`. Version 0.14.1 fixes the issue. As of time of publication, there is no known evidence of exploitation in the wild. This attack requires a previously compromised SecureDrop Server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in client download enables arbitrary file write to autostart directory for execution (T1547.013) and directly supports exploitation of client application vulnerability for RCE (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents path traversal by validating filenames from the Content-Disposition header before writing encrypted reply files to disk in the SecureDrop Client.
Mitigates the vulnerability through timely patching to SecureDrop Client version 0.14.1, which fixes the unsafe initial file write before path validation.
Identifies path traversal vulnerabilities like CVE-2025-24888 in the SecureDrop Client reply download functionality through regular scanning.