CVE-2022-25299 – CVE-2022-25299 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2022-25299?

CVE-2022-25299 has a CVSS score of 9.8 (CRITICAL). CVE-2022-25299 is a path traversal vulnerability in the cesanta/mongoose library's mg_http_upload() function that allows attackers to write files outside the intended upload directory by manipulating file names. This affects any application using mongoose versions before 7.6 for file upload functionality. Attackers could potentially overwrite critical system files or deploy malicious payloads.

📋 TL;DR

CVE-2022-25299 is a path traversal vulnerability in the cesanta/mongoose library's mg_http_upload() function that allows attackers to write files outside the intended upload directory by manipulating file names. This affects any application using mongoose versions before 7.6 for file upload functionality. Attackers could potentially overwrite critical system files or deploy malicious payloads.

💻 Affected Systems

Products:

cesanta/mongoose

Versions: All versions before 7.6

Operating Systems: All operating systems where mongoose is deployed

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the mg_http_upload() function for file uploads. Applications not using this function are not vulnerable.

📦 What is this software?

Mongoose by Cesanta

View all CVEs affecting Mongoose →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution via overwriting system files, configuration files, or deploying web shells, leading to complete system compromise.

🟠

Likely Case

Unauthorized file writes to sensitive directories, potentially enabling data manipulation, privilege escalation, or denial of service.

🟢

If Mitigated

Limited impact if proper input validation and file permission restrictions are in place, preventing writes to critical locations.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the application to have file upload functionality using the vulnerable function. Simple path traversal payloads can be used.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.6 and later

Vendor Advisory: https://github.com/cesanta/mongoose/commit/c65c8fdaaa257e0487ab0aaae9e8f6b439335945

Restart Required: Yes

Instructions:

1. Update mongoose to version 7.6 or later. 2. Rebuild and redeploy the application. 3. Restart the service to apply changes.

🔧 Temporary Workarounds

Input validation for file names

all

Implement server-side validation to reject file names containing path traversal sequences (../, ..\) before processing uploads.

Restrict upload directory permissions

linux

Set strict file system permissions on the upload directory to prevent writes outside the intended location.

chmod 750 /path/to/upload/directory

🧯 If You Can't Patch

Disable file upload functionality if not essential.
Implement a web application firewall (WAF) with rules to block path traversal patterns in file names.

🔍 How to Verify

Check if Vulnerable:

Check if the application uses mongoose version earlier than 7.6 and has file upload functionality via mg_http_upload().

Check Version:

Check the application's dependency file (e.g., package.json, go.mod) or run the application with version flag if available.

Verify Fix Applied:

Confirm mongoose version is 7.6 or later and test file uploads with path traversal payloads to ensure they are rejected.

📡 Detection & Monitoring

Log Indicators:

Failed file upload attempts with suspicious file names containing ../ or ..\
Unexpected file writes outside the upload directory

Network Indicators:

HTTP POST requests to upload endpoints with file names containing path traversal sequences

SIEM Query:

source="web_logs" AND (uri_path="/upload" OR method="POST") AND file_name MATCHES "*../*"

📊 Metadata

CVE ID: CVE-2022-25299

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-552

Published: February 18, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/cesanta/mongoose/commit/c65c8fdaaa257e0487ab0aaae9e8f6b439335945 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-UNMANAGED-CESANTAMONGOOSE-2404180 Exploit,Third Party Advisory
https://github.com/cesanta/mongoose/commit/c65c8fdaaa257e0487ab0aaae9e8f6b439335945 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-UNMANAGED-CESANTAMONGOOSE-2404180 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25299, you might also want to check these: