CVE-2024-24025 – An arbitrary file upload vulnerability in Novel... (How to Fix)

Q: What is the severity of CVE-2024-24025?

CVE-2024-24025 has a CVSS score of 9.8 (CRITICAL). An arbitrary file upload vulnerability in Novel-Plus v4.3.0-RC1 and earlier allows attackers to upload malicious files by manipulating the filename parameter in the upload() function. This can lead to remote code execution or system compromise. All Novel-Plus instances running affected versions are vulnerable.

📋 TL;DR

An arbitrary file upload vulnerability in Novel-Plus v4.3.0-RC1 and earlier allows attackers to upload malicious files by manipulating the filename parameter in the upload() function. This can lead to remote code execution or system compromise. All Novel-Plus instances running affected versions are vulnerable.

💻 Affected Systems

Products:

Novel-Plus

Versions: v4.3.0-RC1 and prior

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the FileController component specifically at upload() endpoint.

📦 What is this software?

Novel Plus by Xxyopen

View all CVEs affecting Novel Plus →

Novel Plus by Xxyopen

View all CVEs affecting Novel Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through remote code execution, data theft, or complete application takeover.

🟠

Likely Case

Webshell deployment leading to persistent access, data exfiltration, or lateral movement within the network.

🟢

If Mitigated

File uploads blocked or sanitized, limiting impact to denial of service or minor data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires crafting malicious filename parameter; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None provided

Restart Required: No

Instructions:

Upgrade to a patched version if available; otherwise apply workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict validation on filename parameter to block malicious extensions and paths.

Modify upload() function to validate file extensions and sanitize input.

Web Application Firewall (WAF) Rules

all

Deploy WAF rules to block requests with suspicious filename patterns.

Add WAF rule: Block requests containing '..', '/', '\', or executable extensions in filename parameter.

🧯 If You Can't Patch

Disable file upload functionality entirely if not required.
Restrict access to upload endpoint using network ACLs or authentication.

🔍 How to Verify

Check if Vulnerable:

Test by attempting to upload a file with a crafted filename (e.g., '../../malicious.jsp') and check if it's accepted.

Check Version:

Check Novel-Plus version in application configuration or admin panel.

Verify Fix Applied:

Verify that malicious filename uploads are rejected and only safe extensions are allowed.

📡 Detection & Monitoring

Log Indicators:

Log entries showing file uploads with suspicious filenames (e.g., containing '..', '/', or executable extensions).

Network Indicators:

HTTP POST requests to upload endpoint with unusual filename parameters.

SIEM Query:

source="web_logs" AND uri="/upload" AND filename MATCHES "*..*|*/*|*.jsp|*.php|*.exe"

📊 Metadata

CVE ID: CVE-2024-24025

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: February 8, 2024

Last Updated: June 12, 2025

🔗 References

https://github.com/201206030/novel-plus Product
https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24025.txt Third Party Advisory
https://github.com/201206030/novel-plus Product
https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24025.txt Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24025, you might also want to check these: