CVE-2025-32778
Published: 15 April 2025
Summary
CVE-2025-32778 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Web-Check is an open-source OSINT tool for website analysis, and CVE-2025-32778 is a command-injection flaw in its screenshot API. The root cause is unsanitized user input from the url parameter being concatenated directly into a shell command executed via Node.js exec(), which matches CWE-78 and carries a CVSS 4.0 score of 9.3.
An unauthenticated remote attacker can supply a crafted url value to the affected endpoint and thereby run arbitrary operating-system commands on the host. Successful exploitation can result in file exfiltration, installation of persistent remote-access tooling, or other post-exploitation activity without any user interaction or authentication.
The project maintainers addressed the issue in commit 0e4958a by replacing the vulnerable exec() call with execFile(), which bypasses the shell and properly separates arguments; the change is also tracked in pull request 243 and GitHub Security Advisory GHSA-5qg5-g7c2-pfx8. The current and peak EPSS scores are both 0.4472, indicating elevated exploitation probability without a documented post-disclosure climb.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-11013
Vulnerability details
Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project (Lissy93/web-check). The issue stems from user-controlled input (url) being passed unsanitized into a shell command using…
more
exec(), allowing attackers to execute arbitrary system commands on the underlying host. This could be exploited by sending crafted url parameters to extract files or even establish remote access. The vulnerability has been patched by replacing exec() with execFile(), which avoids using a shell and properly isolates arguments.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.