Cyber Resilience

CVE-2025-34031

HighPublic PoC

Published: 24 June 2025

Published
24 June 2025
Modified
20 November 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1830 95.4th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34031 is a high-severity Path Traversal (CWE-22) vulnerability in Geoffrowland Jmol. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A path traversal vulnerability affects the Jmol plugin version 6.1 and earlier in the Moodle learning management system. The flaw resides in jsmol.php, where the script passes an unsanitized query parameter directly to the file_get_contents() function, enabling unauthenticated retrieval of arbitrary files from the server filesystem. The issue is tracked as CWE-22 and carries a CVSS 4.0 score of 8.7.

An attacker can exploit the vulnerability over the network without authentication or user interaction by supplying a crafted query value that traverses directories. Successful exploitation can disclose sensitive files, including configuration data that may contain database credentials, thereby facilitating further compromise of the Moodle instance.

Public references from VulnCheck, Dionach, and Exploit-DB document the issue and provide technical details on the affected plugin. Exploitation evidence was recorded by the Shadowserver Foundation on 2025-02-02 UTC, and the EPSS score has remained steady at a peak of 0.1830 with no material increase after disclosure.

EU & UK References

Vulnerability details

A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files…

more

from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Unauthenticated path traversal in public-facing Moodle Jmol plugin (T1190) enables arbitrary file reads from local system (T1005), exposing sensitive data including database credentials in config files (T1552.001).

Affected Assets

geoffrowland
jmol
≤ 6.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References