CVE-2025-70084
Published: 11 February 2026
Summary
CVE-2025-70084 is a high-severity Path Traversal (CWE-22) vulnerability in Opensatkit Opensatkit. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-70084 is a directory traversal vulnerability (CWE-22) in OpenSatKit version 2.2.1. The flaw exists in the FileUtil_GetFileInfo function, which processes crafted input values that enable attackers to access sensitive information or delete arbitrary files.
Remote attackers can exploit this vulnerability without authentication or privileges, requiring only low attack complexity and no user interaction, per the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Exploitation allows disclosure of confidential data through unauthorized file reads and potential deletion of files outside intended directories.
References provided include a GitHub Gist at https://gist.github.com/jonafk555, the OpenSatKit repository at https://github.com/OpenSatKit/OpenSatKit, the v2.2.1 release page at https://github.com/OpenSatKit/OpenSatKit/releases/tag/v2.2.1, and the relevant source code file at https://raw.githubusercontent.com/OpenSatKit/OpenSatKit/master/cfs/apps/filemgr/fsw/src/dir.c. No explicit mitigation or patch details are specified in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207395
Vulnerability details
Directory traversal vulnerability in OpenSatKit 2.2.1 allows attackers to gain access to sensitive information or delete arbitrary files via crafted value to the FileUtil_GetFileInfo function.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal enables remote unauthenticated arbitrary file read (T1005) and deletion (T1070.004) on a public-facing component (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates directory traversal by validating and sanitizing crafted file path inputs to the FileUtil_GetFileInfo function.
Enforces access control policies to block unauthorized reads or deletions of files outside intended directories despite crafted inputs.
Limits the privileges of the vulnerable OpenSatKit process to reduce the scope of files accessible or deletable via traversal.