Critical Path Traversal Threat Discovered in MISP: CVE-2025-66386

by

Overview

CVE-2025-66386 is a medium severity vulnerability affecting MISP (Malware Information Sharing Platform) versions prior to 2.5.27. This vulnerability allows a site administrator to perform path traversal when viewing pictures in the app/Model/EventReport.php file, potentially leading to unauthorized access to sensitive files on the server.

Technical Details

The vulnerability stems from insufficient sanitization of user-supplied input related to file paths when displaying event report pictures. A malicious or compromised site administrator could manipulate the file path to access files outside of the intended directory. This is a classic path traversal vulnerability (also known as directory traversal).

Specifically, the view picture functionality within app/Model/EventReport.php lacks proper input validation, allowing an attacker to use sequences like ../ to navigate up the directory tree and access unauthorized files.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-66386 is 4.1 (Medium).

  • CVSS Vector: (To be determined by NIST upon publication)
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High (Site Admin)
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None

Although classified as “Medium”, the high privilege requirement limits the attack surface. However, if a site administrator’s account is compromised, the attacker can leverage this vulnerability.

Possible Impact

Successful exploitation of CVE-2025-66386 could allow a compromised site administrator to:

  • Read sensitive configuration files containing database credentials, API keys, or other secrets.
  • Potentially execute arbitrary code on the server, depending on server configuration and accessible files.
  • Expose internal application structure, helping to discover other vulnerabilities.

The impact is limited by the required privilege level. It’s highly recommended to mitigate this threat promptly.

Mitigation and Patch Steps

The vulnerability is fixed in MISP version 2.5.27. To mitigate this vulnerability, it is strongly recommended to upgrade your MISP instance to version 2.5.27 or later.

Here are the steps to upgrade:

  1. Backup your MISP database and files.
  2. Follow the official MISP upgrade instructions, found on the MISP project’s website.
  3. Verify the upgrade was successful and that the vulnerability is no longer present.

If upgrading is not immediately possible, consider implementing temporary workarounds, such as:

  • Hardening file access permissions on the server.
  • Implementing stricter input validation on the server-side to filter out path traversal sequences. However, this workaround is not a substitute for a proper patch.

References

MISP Commit Fixing the Vulnerability
MISP Version Comparison (v2.5.26 to v2.5.27)

Leave a Comment