Overview
A path traversal vulnerability, identified as CVE-2025-65952, has been discovered in the “Console” software, a network tool used to manage Gorilla Tag mods and users. Prior to version 2.8.0, attackers could leverage carefully crafted combinations of backslashes and periods to bypass security measures and write files to unauthorized directories on the system running the console. This vulnerability has been addressed in version 2.8.0 of the Console software.
Technical Details
The path traversal vulnerability stems from insufficient input validation when handling file paths within the Console application. By exploiting this flaw, a malicious actor could potentially overwrite critical system files, inject malicious code, or gain unauthorized access to sensitive information. The vulnerability relies on the improper sanitization of user-supplied file paths. Complicated combinations of backslashes (\) and periods (.) can be used to navigate outside of the intended directory and write files to arbitrary locations.
Specifically, the commit 4bcb1cf23ef78f8e6899dd6fe3afa3b24902e458 shows a fix related to filename escaping. Also e1005b8754594ad463ae58f8a99decda548b1826 is relevant in regards to fixing other potential injection-based vulnerabilities.
CVSS Analysis
Due to the specific circumstances and configurations required for exploitation, and given that the CVSS score is currently N/A, further analysis would be required for a formal severity assignment.
Severity: N/A
CVSS Score: N/A
Possible Impact
Successful exploitation of this path traversal vulnerability could lead to:
- Arbitrary Code Execution: An attacker might be able to execute arbitrary code on the system running the Console software.
- Data Overwrite: Critical system files could be overwritten, leading to system instability or denial-of-service.
- Information Disclosure: Sensitive data stored on the system could be accessed by an attacker.
Mitigation and Patch Steps
The vulnerability has been patched in version 2.8.0 of the Console software. Users are strongly advised to update to the latest version as soon as possible. Ensure that the update is obtained from the official source to avoid downloading potentially malicious software.
