Cyber Resilience

CVE-2025-55988

High

Published: 20 March 2026

Published
20 March 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55988 is a high-severity Path Traversal (CWE-22) vulnerability in Dreamfactory Dreamfactory Core. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-55988 is a directory traversal vulnerability (CWE-22) in the /Controllers/RestController.php component of DreamFactory Core version 1.0.3. The flaw arises from an unsanitized URI path, enabling attackers to access files outside the intended directory. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-20.

Exploitation is network-accessible with low complexity and no user interaction required, but demands high privileges (PR:H) on the target system. A successful attack can achieve high impacts across confidentiality, integrity, and availability within the unchanged security scope.

Mitigation is addressed in a commit to the DreamFactory Core repository at https://github.com/dreamfactorysoftware/df-core/commit/54354605b2ec9afe6ee96756a5a22f6f56828950#diff-e57a7c0af25166ac8f02695307c6c413ca4ba0a48a20b2202ad910654528aab1. Further details appear in the Pentest Tools advisory on remote code execution via URL path traversal at https://pentest-tools.com/PTT-2025-001-RemoteCodeExecution-via-URL-Path-Traversal.pdf.

EU & UK References

Vulnerability details

An issue in the component /Controllers/RestController.php of DreamFactory Core v1.0.3 allows attackers to execute a directory traversal via an unsanitized URI path.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Directory traversal in public-facing web app component directly enables remote file access and RCE exploitation of the application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-64075Shared CWE-22
CVE-2024-53537Shared CWE-22
CVE-2024-36512Shared CWE-22
CVE-2025-0493Shared CWE-22
CVE-2025-70231Shared CWE-22
CVE-2026-43888Shared CWE-22
CVE-2025-15031Shared CWE-22
CVE-2026-25785Shared CWE-22
CVE-2025-11366Shared CWE-22
CVE-2026-1810Shared CWE-22

Affected Assets

dreamfactory
dreamfactory core
1.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the directory traversal by requiring validation of unsanitized URI path inputs to block traversal sequences like '../'.

prevent

Addresses the specific flaw in /Controllers/RestController.php through timely identification, reporting, and correction via patching as shown in the referenced commit.

prevent

Enforces approved authorizations for logical access to files, limiting damage from successful path traversal attempts outside intended directories.

References