CVE-2019-25355 – CVE-2019-25355 is a directory traversal vulnera... (How to Fix)

Q: What is the severity of CVE-2019-25355?

CVE-2019-25355 has a CVSS score of 7.5 (HIGH). CVE-2019-25355 is a directory traversal vulnerability in gSOAP 2.8 that allows unauthenticated attackers to access sensitive system files by manipulating HTTP requests with path traversal sequences. This affects any system running vulnerable versions of gSOAP web services, potentially exposing configuration files, passwords, and other sensitive data.

📋 TL;DR

CVE-2019-25355 is a directory traversal vulnerability in gSOAP 2.8 that allows unauthenticated attackers to access sensitive system files by manipulating HTTP requests with path traversal sequences. This affects any system running vulnerable versions of gSOAP web services, potentially exposing configuration files, passwords, and other sensitive data.

💻 Affected Systems

Products:

gSOAP

Versions: Version 2.8 specifically (and possibly earlier versions with similar code patterns)

Operating Systems: All platforms running gSOAP (Linux, Windows, Unix variants)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects gSOAP web services that handle HTTP requests. The vulnerability is in the HTTP request parsing logic.

📦 What is this software?

Gsoap by Genivia

View all CVEs affecting Gsoap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through retrieval of sensitive files like SSH keys, configuration files with credentials, or shadow password files, leading to privilege escalation and lateral movement.

🟠

Likely Case

Exfiltration of sensitive configuration files, application secrets, and system information that could enable further attacks.

🟢

If Mitigated

Limited to read-only access of non-critical files if proper file permissions and web server configurations restrict access.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation from anywhere on the internet with simple HTTP requests.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised internal systems, but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on Exploit-DB (47653) demonstrates simple HTTP GET requests with '../' sequences to retrieve files like /etc/passwd.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: gSOAP 2.8.104 or later

Vendor Advisory: https://www.genivia.com/advisory.html

Restart Required: Yes

Instructions:

1. Download latest gSOAP version from genivia.com. 2. Replace vulnerable gSOAP libraries. 3. Recompile and redeploy affected applications. 4. Restart web services using gSOAP.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement web application firewall or input validation to block requests containing '../' sequences

# Example mod_security rule for Apache:
SecRule REQUEST_URI "\.\./" "id:1001,phase:1,deny,status:403,msg:'Path Traversal Attempt'

File Permission Restrictions

linux

Run gSOAP services with minimal privileges and restrict file system access

# Run as non-root user:
useradd -r -s /bin/false gsoapuser
chown -R gsoapuser:gsoapuser /path/to/gsoap

🧯 If You Can't Patch

Implement network segmentation to isolate gSOAP services from sensitive systems
Deploy web application firewall with rules to detect and block path traversal patterns

🔍 How to Verify

Check if Vulnerable:

Test with curl: curl -v 'http://target/path/../../../../etc/passwd' or use the public exploit PoC

Check Version:

Check gSOAP version in application logs or compile output, or run: strings libgsoap.so | grep -i 'gsoap version'

Verify Fix Applied:

Attempt the same traversal attack after patching - should return 403/404 error instead of file contents

📡 Detection & Monitoring

Log Indicators:

HTTP GET requests containing '../' sequences
Unusual file access patterns from web service process
403/404 errors for traversal attempts if blocked

Network Indicators:

HTTP requests with multiple '../' in URL path
GET requests for known sensitive files like /etc/passwd, /etc/shadow

SIEM Query:

source="web_logs" AND (url="*../*" OR url="*/etc/passwd" OR url="*/etc/shadow")

📊 Metadata

CVE ID: CVE-2019-25355

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: February 18, 2026

Last Updated: February 26, 2026

🔗 References

https://www.exploit-db.com/exploits/47653 Exploit,VDB Entry
https://www.genivia.com/ Product
https://www.genivia.com/products.html#gsoap Product
https://www.vulncheck.com/advisories/genivia-gsoap-gsoap-path-traversal Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25355, you might also want to check these: