CVE-2025-1025 Scanner

Cockpit is an open-source API-driven content management system (CMS) designed for developers to build flexible content structures. It enables users to manage content through a user-friendly interface while offering API endpoints for seamless integration with applications. Cockpit is widely used in web development, headless CMS solutions, and content-driven applications. It provides asset management, user authentication, and extensibility through plugins. Due to its API-first architecture, it is often deployed in modern web applications that require content flexibility. The security of its file upload functionality is crucial to prevent unauthorized access or code execution.

This vulnerability affects Cockpit versions before 2.4.1, allowing attackers to bypass upload restrictions and execute arbitrary files. The flaw exists in the file upload mechanism, which fails to properly validate file extensions. Attackers can leverage this issue to upload malicious files, potentially leading to remote code execution. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), highlighting the risk of executing user-supplied code. Successful exploitation can grant attackers control over the underlying system. To mitigate this, affected installations should upgrade to the latest version.

The vulnerability arises from improper validation of file uploads in Cockpit’s asset management system. The "/assets/upload" endpoint allows files to be uploaded without enforcing strict content-type checks. Attackers can craft specially named files that bypass extension filters and are executed on the server. By uploading a malicious PHP file and accessing it via the "/storage/uploads/" directory, attackers can run arbitrary commands. The system's failure to restrict executable file types makes it susceptible to remote code execution. This issue can be exploited remotely, making public-facing Cockpit installations particularly vulnerable.

Exploitation of this vulnerability can lead to remote code execution, allowing attackers to run arbitrary commands on the server. Malicious users may use this flaw to deploy backdoors, deface websites, or compromise sensitive data. Unauthorized file uploads can lead to privilege escalation, enabling attackers to gain administrative control. The vulnerability may also be leveraged to install malware, exfiltrate sensitive files, or disrupt normal operations. Organizations using Cockpit should take immediate action to prevent unauthorized file uploads. Updating to a patched version is crucial to securing affected installations.

REFERENCES

• https://github.com/advisories/GHSA-wp68-xrfg-xvq4
• https://nvd.nist.gov/vuln/detail/CVE-2025-1025