CVE-2025-55454
Published: 22 August 2025
Summary
CVE-2025-55454 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Dootask Dootask. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Deeper analysis
CVE-2025-55454 is an authenticated arbitrary file upload vulnerability in the /msg/sendfiles component of DooTask version 1.0.51. Published on 2025-08-22, it enables attackers to upload crafted files that result in arbitrary code execution. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).
The vulnerability can be exploited by authenticated users with low privileges over the network, requiring low complexity and no user interaction. Attackers can achieve high-impact effects on confidentiality, integrity, and availability, potentially leading to full compromise of the affected DooTask instance through remote code execution.
Mitigation details are available in the referenced advisory at https://www.notion.so/Dootask-Arbitrary-file-upload-vulnerability-2162818a9e118053a586cf4bc05fd1fa.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28589
Vulnerability details
An authenticated arbitrary file upload vulnerability in the component /msg/sendfiles of DooTask v1.0.51 allows attackers to execute arbitrary code via uploading a crafted file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload (CWE-434) in web app component directly enables web shell deployment and RCE via crafted file, matching Exploit Public-Facing Application and Server Software Component: Web Shell.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates uploaded files in the /msg/sendfiles component to block unrestricted dangerous file types leading to arbitrary code execution.
Restricts file types, extensions, and characteristics allowed in uploads to prevent crafted executable files from being accepted.
Deploys malicious code protection at the file upload entry point to scan and eradicate crafted files capable of arbitrary code execution.