Cyber Resilience

CVE-2025-32778

CriticalRCE

Published: 15 April 2025

Published
15 April 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.4472 97.7th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32778 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Web-Check is an open-source OSINT tool for website analysis, and CVE-2025-32778 is a command-injection flaw in its screenshot API. The root cause is unsanitized user input from the url parameter being concatenated directly into a shell command executed via Node.js exec(), which matches CWE-78 and carries a CVSS 4.0 score of 9.3.

An unauthenticated remote attacker can supply a crafted url value to the affected endpoint and thereby run arbitrary operating-system commands on the host. Successful exploitation can result in file exfiltration, installation of persistent remote-access tooling, or other post-exploitation activity without any user interaction or authentication.

The project maintainers addressed the issue in commit 0e4958a by replacing the vulnerable exec() call with execFile(), which bypasses the shell and properly separates arguments; the change is also tracked in pull request 243 and GitHub Security Advisory GHSA-5qg5-g7c2-pfx8. The current and peak EPSS scores are both 0.4472, indicating elevated exploitation probability without a documented post-disclosure climb.

EU & UK References

Vulnerability details

Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project (Lissy93/web-check). The issue stems from user-controlled input (url) being passed unsanitized into a shell command using…

more

exec(), allowing attackers to execute arbitrary system commands on the underlying host. This could be exploited by sending crafted url parameters to extract files or even establish remote access. The vulnerability has been patched by replacing exec() with execFile(), which avoids using a shell and properly isolates arguments.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References