CVE-2025-59304
Published: 17 September 2025
Summary
CVE-2025-59304 is a critical-severity Path Traversal (CWE-22) vulnerability in Swetrix Swetrix. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A directory traversal vulnerability, tracked as CVE-2025-59304 and assigned CWE-22, affects the Swetrix Web Analytics API in version 3.1.1 prior to commit 7d8b972. The flaw permits remote code execution when an attacker supplies a crafted HTTP request that manipulates file paths, resulting in a CVSS 3.1 base score of 9.8.
Unauthenticated attackers reachable over the network can exploit the issue without user interaction to obtain full control over the affected API instance, including arbitrary code execution that impacts confidentiality, integrity, and availability. The referenced GitHub pull request 397 implements the corrective patch, while an accompanying technical analysis describes the underlying file-upload vector and the automated remediation steps applied.
EPSS for the CVE rose from lower values after public disclosure to a peak of 0.0779 on 2026-02-03 before receding to the current 0.0455, indicating measurable post-disclosure exploitation interest that warrants continued monitoring by defenders.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29739
Vulnerability details
A directory traversal issue in Swetrix Web Analytics API 3.1.1 before 7d8b972 allows a remote attacker to achieve Remote Code Execution via a crafted HTTP request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in file upload allows remote code execution by overwriting server files (e.g., entrypoint.js with reverse shell), enabling exploitation of a public-facing web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation, directly addressing this directory traversal vulnerability by applying the available patch from commit 7d8b972.
SI-10 mandates validation of information inputs like HTTP request parameters, preventing directory traversal attacks that lead to RCE in the Swetrix API.
SC-7 enforces boundary protection via firewalls or WAFs that can filter and block crafted HTTP requests exploiting the directory traversal vulnerability.