CVE-2025-69288
Published: 31 December 2025
Summary
CVE-2025-69288 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Kromit Titra. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly addresses the improper input validation of timeEntryRule by requiring sanitization and validation before execution in NodeVM, preventing RCE.
SI-2 mandates timely remediation of identified flaws, such as patching to Titra version 0.99.49 which fixes the unsanitized code execution.
CM-5 restricts and authorizes changes to system data like timeEntryRule in the database, limiting admin modifications that could introduce malicious payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote code execution in a web-based application via unsanitized input to NodeVM (Node.js JS executor), directly enabling T1190 (Exploit Public-Facing Application) and facilitating T1059.007 (JavaScript) execution.
NVD Description
Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization,…
more
it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.
Deeper analysisAI
CVE-2025-69288 is a remote code execution vulnerability in Titra, an open source project time tracking software. In versions prior to 0.99.49, the application allows any authenticated Admin user to modify the timeEntryRule value directly in the database. This value is subsequently passed to a NodeVM context for execution as code without proper sanitization, enabling arbitrary code execution. The vulnerability is associated with CWE-20 (Improper Input Validation) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
An attacker with authenticated Admin privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a malicious timeEntryRule payload and updating it in the database, the attacker triggers execution within the NodeVM sandbox, achieving full remote code execution on the server. The changed scope (S:C) amplifies the impact, granting high confidentiality, integrity, and availability effects, potentially allowing server compromise.
Mitigation is addressed in Titra version 0.99.49, which fixes the issue by implementing proper sanitization or validation of the timeEntryRule before NodeVM execution. Security practitioners should upgrade to this version immediately. Relevant resources include the fixing commit at https://github.com/kromitgmbh/titra/commit/2e2ac5cbeed47a76720b21c7fde0214a242e065e, the release page at https://github.com/kromitgmbh/titra/releases/tag/0.99.49, and the GitHub security advisory at https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvr.
Details
- CWE(s)