eGovFramework Under Attack: Critical Unauthenticated File Upload Vulnerability (CVE-2025-34336)

Overview

A critical unauthenticated file upload vulnerability, identified as CVE-2025-34336, has been discovered in eGovFramework/egovframe-common-components versions up to and including 4.3.1. This flaw allows unauthenticated attackers to upload arbitrary files to affected servers, potentially leading to serious security breaches.

This vulnerability is also known as KVE-2023-5280, as identified by KISA/KrCERT.

Technical Details

The vulnerability exists in the /utl/wed/insertImage.do and /utl/wed/insertImageCk.do image upload endpoints. These controllers accept multipart requests without requiring any authentication. The uploaded content is then processed by a shared upload helper, which stores the file on the server within a framework-controlled path.

While a filename extension whitelist is enforced to restrict the types of files that can be uploaded, the attacker has full control over the file contents. The framework provides a download URL for retrieving the uploaded content. Before version 4.1.2, the attacker also controlled the Content-Type header. From version 4.1.2 onwards, while the Content-Type is restricted to application/octet-stream for non-image files, attackers can still upload arbitrary content as long as they use the whitelisted image extension. This allows an unauthenticated attacker to leverage any affected application as a persistent file hosting service for arbitrary content under the application’s origin.

CVSS Analysis

The CVE entry currently shows a CVSS score of N/A. Given the nature of unauthenticated remote code execution through file upload, the severity of this vulnerability is likely to be critical. The CVSS score is expected to be updated as analysis progresses.

Possible Impact

The potential impact of this vulnerability is significant. An attacker could:

• Host malicious files on a trusted domain, bypassing security checks.
• Potentially execute arbitrary code if the uploaded file is processed by the server in a vulnerable manner (e.g., an uploaded image containing malicious code processed by an image library).
• Deface websites by uploading malicious images.
• Use the compromised server as a staging ground for further attacks.

Mitigation or Patch Steps

The recommended mitigation steps are as follows:

1. Upgrade: Upgrade to a patched version of eGovFramework that addresses this vulnerability. Refer to the official eGovFramework website for the latest updates and security advisories.
2. Input Validation: If upgrading is not immediately possible, implement strict input validation on the server-side to prevent the upload of arbitrary files. Ensure that file content is validated against expected formats, regardless of the file extension.
3. Authentication: Implement authentication and authorization checks for the /utl/wed/insertImage.do and /utl/wed/insertImageCk.do endpoints to restrict access to authorized users only.
4. Content Security Policy (CSP): Implement a strong CSP to restrict the execution of scripts from untrusted sources, mitigating the risk of malicious JavaScript being uploaded and executed.