Overview
CVE-2025-64714 identifies a medium-severity Local File Inclusion (LFI) vulnerability affecting PrivateBin, an open-source, zero-knowledge pastebin. Specifically, versions 1.7.7 and prior to 2.0.3 are vulnerable. This flaw allows unauthenticated attackers to potentially read sensitive files on the server or, in certain circumstances, achieve remote code execution (RCE).
Technical Details
The vulnerability resides in the template-switching feature of PrivateBin. If the templateselection option is enabled in the cfg/conf.php configuration file, the application trusts the value provided in the template cookie. This value is then used to include a PHP file. While PrivateBin project files are designed to prevent execution through specific PHP code, the vulnerability can be exploited if an attacker can either read a configuration file lacking these protections or discover the relative path to a PHP script that performs actions without proper privilege checks.
The core issue is that the supplied template name from the cookie is not sufficiently sanitized before being used in an include() statement. The existence of the file is checked, but this doesn’t prevent the attacker from traversing the filesystem to access files outside the intended template directory.
CVSS Analysis
- Severity: MEDIUM
- CVSS Score: 5.8
This CVSS score indicates a medium severity due to the potential for sensitive data disclosure and, in some scenarios, remote code execution. The attack requires no authentication, making it easier to exploit. The impact is primarily on confidentiality and integrity.
Possible Impact
A successful exploit of CVE-2025-64714 could lead to:
- Sensitive Data Disclosure: Attackers could read configuration files, potentially exposing database credentials, API keys, or other sensitive information.
- Remote Code Execution (RCE): If an attacker can upload a PHP file to the server (even indirectly, perhaps through another vulnerability) or find an existing, vulnerable PHP script, they could achieve remote code execution, allowing them to compromise the entire server.
- Service Disruption: An attacker could potentially modify or delete critical files, leading to a denial-of-service condition.
Mitigation and Patch Steps
The vulnerability has been patched in PrivateBin version 2.0.3. The recommended course of action is to upgrade to this version or a later release immediately.
If upgrading is not immediately possible, the following workaround can be implemented:
- Disable Template Selection: In the
cfg/conf.phpfile, settemplateselection = false(which is the default). Alternatively, remove thetemplateselectionline entirely.