CVE-2025-53534
Published: 05 August 2025
Summary
CVE-2025-53534 is a high-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability. Its CVSS base score is 7.7 (High).
Operationally, ranked in the top 14.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
RatPanel, a server operation and maintenance management panel, contains an authentication bypass vulnerability in versions 2.3.19 through 2.5.5. The flaw stems from improper use of the CleanPath middleware in the github.com/go-chi/chi package, which fails to sanitize r.URL.Path and allows path misinterpretation. This leads to remote code execution or full host takeover, along with broader unauthorized access, when an attacker reaches the backend login endpoint. The issue is tracked under CWE-305 and was corrected in version 2.5.6.
An attacker who first discovers or brute-forces the panel's backend login path can exploit the vulnerability without valid credentials. Successful exploitation grants the ability to run arbitrary system commands on the RatPanel host or seize control of any servers managed through the panel.
Public advisories and the associated patch release recommend immediate upgrade to RatPanel 2.5.6. The fix is detailed in the project commit ed5c74c and the GitHub Security Advisory GHSA-fm3m-jrgm-5ppg.
The EPSS score has remained flat at 0.0230 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23654
Vulnerability details
RatPanel is a server operation and maintenance management panel. In versions 2.3.19 through 2.5.5, when an attacker obtains the backend login path of RatPanel (including but not limited to weak default paths, brute-force cracking, etc.), they can execute system commands…
more
or take over hosts managed by the panel without logging in. In addition to this remote code execution (RCE) vulnerability, the flawed code also leads to unauthorized access. RatPanel uses the CleanPath middleware provided by github.com/go-chi/chi package to clean URLs, but but the middleware does not process r.URL.Path, which can cause the paths to be misinterpreted. This is fixed in version 2.5.6.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.