CVE-2025-27410
Published: 28 February 2025
Summary
CVE-2025-27410 is a medium-severity Path Traversal (CWE-22) vulnerability in Pwndoc Project Pwndoc. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of TAR entry names to prevent path traversal allowing arbitrary file overwrites during backup restore.
Enforces access control policies to restrict backup restore writes to authorized paths only, blocking overwrites of critical files like JavaScript components.
Applies least privilege to limit backups:create and backups:update permissions, reducing the attack surface for authenticated administrators exploiting the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in web app backup restore allows remote file overwrite to plant malicious JS for RCE on restart, directly mapping to T1190 (exploit public-facing app) and T1059.007 (JavaScript execution).
NVD Description
PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality is vulnerable to path traversal in the TAR entry's name, allowing an attacker to overwrite any file on the system with their content. By overwriting…
more
an included `.js` file and restarting the container, this allows for Remote Code Execution as an administrator. The remote code execution occurs because any user with the `backups:create` and `backups:update` (only administrators by default) is able to overwrite any file on the system. Version 1.2.0 fixes the issue.
Deeper analysisAI
CVE-2025-27410 is a path traversal vulnerability (CWE-22, CWE-23) in the backup restore functionality of PwnDoc, a penetration test reporting application. In versions prior to 1.2.0, the vulnerability stems from inadequate validation of TAR entry names, enabling attackers to overwrite arbitrary files on the system with attacker-controlled content.
The vulnerability can be exploited remotely over the network by authenticated users possessing both `backups:create` and `backups:update` permissions, which are restricted to administrators by default. Exploitation requires low complexity and no user interaction. An attacker can overwrite a JavaScript file included in the application, followed by restarting the container, to achieve remote code execution with administrator privileges. The CVSS v3.1 base score is 6.5 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N).
PwnDoc version 1.2.0 resolves the issue through a targeted fix in the backup handling code. The GitHub security advisory (GHSA-mxw8-vgvx-89hx), fix commit (98f284291d73d3a0b11d3181d845845c192d1080), and release page (v1.2.0) provide details on the patch and updated code in backend/src/routes/backup.js. Security practitioners should upgrade to version 1.2.0 or later and review access controls for backup permissions.
Details
- CWE(s)