Cyber Resilience

CVE-2025-55454

HighPublic PoC

Published: 22 August 2025

Published
22 August 2025
Modified
12 September 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0027 51.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55454 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Dootask Dootask. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Deeper analysis

CVE-2025-55454 is an authenticated arbitrary file upload vulnerability in the /msg/sendfiles component of DooTask version 1.0.51. Published on 2025-08-22, it enables attackers to upload crafted files that result in arbitrary code execution. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).

The vulnerability can be exploited by authenticated users with low privileges over the network, requiring low complexity and no user interaction. Attackers can achieve high-impact effects on confidentiality, integrity, and availability, potentially leading to full compromise of the affected DooTask instance through remote code execution.

Mitigation details are available in the referenced advisory at https://www.notion.so/Dootask-Arbitrary-file-upload-vulnerability-2162818a9e118053a586cf4bc05fd1fa.

EU & UK References

Vulnerability details

An authenticated arbitrary file upload vulnerability in the component /msg/sendfiles of DooTask v1.0.51 allows attackers to execute arbitrary code via uploading a crafted file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload (CWE-434) in web app component directly enables web shell deployment and RCE via crafted file, matching Exploit Public-Facing Application and Server Software Component: Web Shell.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434
CVE-2025-32957Shared CWE-434

Affected Assets

dootask
dootask
1.0.51

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates uploaded files in the /msg/sendfiles component to block unrestricted dangerous file types leading to arbitrary code execution.

prevent

Restricts file types, extensions, and characteristics allowed in uploads to prevent crafted executable files from being accepted.

preventdetect

Deploys malicious code protection at the file upload entry point to scan and eradicate crafted files capable of arbitrary code execution.

References