Urgent Security Alert: Critical File Upload Vulnerability (CVE-2025-66384) in MISP

Overview

A high-severity vulnerability, identified as CVE-2025-66384, has been discovered in MISP (Malware Information Sharing Platform) before version 2.5.24. This vulnerability resides in the app/Controller/EventsController.php file and involves insufficient validation of uploaded files, specifically related to the tmp_name parameter. This could allow an attacker to upload malicious files potentially leading to remote code execution or other security compromises.

Technical Details

The vulnerability stems from inadequate logic in validating the legitimacy of uploaded files within the EventsController.php file. Specifically, the checks performed on the tmp_name, which represents the temporary filename of the uploaded file on the server, are insufficient. An attacker could potentially bypass these checks by manipulating the uploaded file and its associated metadata, including the tmp_name value. This manipulation can lead to the successful uploading and execution of malicious code.

The vulnerable code resides within the EventsController.php, specifically when handling file uploads related to event data. The insufficient validation opens a window for attackers to inject malicious content by exploiting the trust placed on the tmp_name value without appropriate sanitization and verification.

CVSS Analysis

This vulnerability has been assigned a CVSS score of 8.2, classifying it as HIGH severity. The CVSS vector reflects the potential for significant impact:

• CVSS Score: 8.2
• Severity: High
• The exploitation of this vulnerability does not require any special privileges or user interaction in many cases.

Possible Impact

Successful exploitation of this vulnerability could have severe consequences, including:

• Remote Code Execution (RCE): An attacker could execute arbitrary code on the MISP server, potentially gaining complete control of the system.
• Data Breach: Uploaded malicious files could be designed to exfiltrate sensitive information stored within the MISP instance or on the underlying server.
• Denial of Service (DoS): An attacker could upload files designed to consume excessive server resources, leading to a denial-of-service condition, rendering the MISP platform unavailable.
• System Compromise: The entire MISP system and potentially the host environment could be compromised.

Mitigation and Patch Steps

The primary mitigation strategy is to upgrade your MISP instance to version 2.5.24 or later. This version includes the necessary fixes to address the vulnerability. Follow these steps:

1. Backup your MISP instance: Before applying any updates, create a full backup of your MISP database and files.
2. Upgrade MISP: Follow the official MISP upgrade instructions. This typically involves using the built-in updater or manually upgrading the MISP code.
3. Verify the Update: After the upgrade, confirm that you are running version 2.5.24 or later.

Workaround (If immediate upgrade is not possible): While upgrading is the recommended solution, if an immediate upgrade is not feasible, consider implementing strict file type validation and sanitization measures on the server-side to mitigate the risk of malicious file uploads. This is only a temporary workaround and should not be considered a replacement for upgrading.

References

• CVE: CVE-2025-66384
• MISP Commit: MISP Commit 6867f0d3157a1959154bdad9ddac009dec6a19f5
• MISP v2.5.23…v2.5.24: MISP v2.5.23…v2.5.24