CVE-2025-53632
Published: 10 July 2025
Summary
CVE-2025-53632 is a critical-severity Path Traversal (CWE-22) vulnerability in Ctfer-Io Chall-Manager. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of file paths from zip archives during extraction to block path traversal (zip slip) attacks.
Mandates timely patching of known flaws, such as the zip slip vulnerability fixed in Chall-Manager v0.1.4.
Enforces boundary protections to limit network reachability to the system, aligning with recommendations to deploy Chall-Manager deep within infrastructure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated path traversal in a public-facing service directly matches exploitation of public-facing applications; arbitrary file write enables follow-on impact but primary technique is T1190.
NVD Description
Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the path of the file to write is not checked, potentially leading to zip slips. Exploitation does not…
more
require authentication nor authorization, so anyone can exploit it. It should nonetheless not be exploitable as it is highly recommended to bury Chall-Manager deep within the infrastructure due to its large capabilities, so no users could reach the system. Patch has been implemented by commit 47d188f and shipped in v0.1.4.
Deeper analysisAI
CVE-2025-53632 affects Chall-Manager, a platform-agnostic system designed to start challenges on demand for players. The vulnerability arises during the decoding of scenario files, which are zip archives, where the destination path for writing files is not validated. This enables classic zip slip attacks, classified as CWE-22 (Path Traversal), with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H). Versions of Chall-Manager prior to v0.1.4 are vulnerable.
Exploitation requires no authentication or authorization and can be performed remotely by any attacker able to reach the system, with low attack complexity. Successful exploitation allows arbitrary file writes outside the intended extraction directory, resulting in high integrity and availability impacts. However, Chall-Manager is recommended to be deployed deep within infrastructure to limit exposure due to its extensive capabilities, which may prevent practical exploitation in properly configured environments.
Mitigation is provided by a patch in commit 47d188fda5e3f86285e820f12ad9fb6f9930662c, included in Chall-Manager v0.1.4. Additional details on the vulnerability and remediation are documented in the GitHub security advisory (GHSA-3gv2-v3jx-r9fh), the affected commit, and the v0.1.4 release notes.
Details
- CWE(s)