Overview
CVE-2025-54307 details a critical path traversal vulnerability found in the Thermo Fisher Torrent Suite Django application, version 5.18.1. This vulnerability allows low-privilege authenticated users to upload arbitrary files to the server, potentially leading to remote code execution. This vulnerability arises from insufficient sanitization of filenames during file uploads via the /configure/plugins/plugin/upload/zip/ and /configure/newupdates/offline/bundle/upload/ endpoints.
Technical Details
The vulnerability resides in the plupload_file_upload function, which handles file uploads. This function constructs the destination file path using either the name parameter or the uploaded filename, neither of which are properly sanitized. The file extension is extracted by splitting the filename string. A format string is then used to construct the final file path. This process is susceptible to path traversal attacks.
An attacker can craft a malicious ZIP file with a filename containing path traversal sequences (e.g., ../). By uploading this file, the attacker can write files to arbitrary locations on the server’s file system, limited only by the permissions of the user account running the Torrent Suite application.
The exploitability is demonstrated through overwriting the pdflatex executable. This executable is later called by the write_report_pdf function, triggered by requests to the /report/latex/(\d+).pdf endpoint, via subprocess.Popen. By overwriting pdflatex with malicious code, the attacker can achieve remote code execution when a report is generated.
CVSS Analysis
At the time of writing, a CVSS score has not been assigned to CVE-2025-54307. However, given the potential for remote code execution, it is highly likely that it will receive a critical score (CVSS v3.x score of 9.0-10.0) upon evaluation. The key factors contributing to this anticipated high score include the low attack complexity, the requirement for authentication but low privileges, network attack vector, and the significant impact on confidentiality, integrity, and availability.
Possible Impact
Successful exploitation of CVE-2025-54307 can have severe consequences:
- Remote Code Execution: An attacker can execute arbitrary code on the server, potentially gaining full control of the system.
- Data Breach: Sensitive data stored on the server could be accessed and exfiltrated.
- System Compromise: The entire Torrent Suite installation, and potentially other systems on the same network, could be compromised.
- Denial of Service: By overwriting critical system files, an attacker could render the Torrent Suite application unusable.
Mitigation or Patch Steps
Thermo Fisher has likely released a patch to address this vulnerability. The following steps should be taken immediately:
- Update Torrent Suite: Upgrade to the latest version of Torrent Suite as soon as a patch is available from Thermo Fisher. Regularly check the Thermo Fisher security advisories for updates.
- Input Sanitization: If patching is not immediately possible, implement input sanitization on the server-side to prevent path traversal. Specifically, sanitize filenames before constructing file paths.
- Restrict Access: Limit access to the affected endpoints (
/configure/plugins/plugin/upload/zip/and/configure/newupdates/offline/bundle/upload/) to only trusted users. - Monitor System Activity: Implement intrusion detection systems (IDS) to monitor for suspicious file uploads and system activity.
