Cyber Resilience

CVE-2025-27519

Critical

Published: 07 March 2025

Published
07 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0258 85.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27519 is a critical-severity Path Traversal (CWE-22) vulnerability in Github (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 14.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Cognita, an open source RAG framework for building modular production applications, contains a path traversal vulnerability at the /v1/internal/upload-to-local-directory endpoint. The issue is present when the Local environment variable is set to true, which occurs in the project's Docker deployment that also enables uvicorn auto-reload on the backend server. An attacker who can reach the endpoint can overwrite arbitrary files such as /app/backend/__init__.py; because the server reloads on change, the overwritten code executes and yields remote code execution inside the container. The flaw is tracked as CWE-22 and carries a CVSS 4.0 score of 9.3.

Any unauthenticated network attacker can exploit the upload endpoint to achieve full remote code execution within the Docker container, allowing arbitrary command execution, data exfiltration, or further lateral movement from the compromised service.

The vulnerability is fixed in commit a78bd065e05a1b30a53a3386cc02e08c317d2243, with the corresponding pull request and detailed analysis published in the GitHub Security Lab advisory GHSL-2024-193.

The associated EPSS score has remained flat at 0.0258 with no material increase since disclosure.

EU & UK References

Vulnerability details

Cognita is a RAG (Retrieval Augmented Generation) Framework for building modular, open source applications for production by TrueFoundry. A path traversal issue exists at /v1/internal/upload-to-local-directory which is enabled when the Local env variable is set to true, such as when…

more

Cognita is setup using Docker. Because the docker environment sets up the backend uvicorn server with auto reload enabled, when an attacker overwrites the /app/backend/__init__.py file, the file will automatically be reloaded and executed. This allows an attacker to get remote code execution in the context of the Docker container. This vulnerability is fixed in commit a78bd065e05a1b30a53a3386cc02e08c317d2243.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Github
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References