CVE-2025-11607 – A path traversal vulnerability in MoneyPrinterT... (How to Fix)

Q: What is the severity of CVE-2025-11607?

CVE-2025-11607 has a CVSS score of 6.3 (MEDIUM). A path traversal vulnerability in MoneyPrinterTurbo's API endpoint allows attackers to write arbitrary files to the server filesystem by manipulating file upload parameters. This affects all MoneyPrinterTurbo instances up to version 1.2.6 with the vulnerable API endpoint exposed. Remote attackers can potentially overwrite critical system files or deploy malicious payloads.

📋 TL;DR

A path traversal vulnerability in MoneyPrinterTurbo's API endpoint allows attackers to write arbitrary files to the server filesystem by manipulating file upload parameters. This affects all MoneyPrinterTurbo instances up to version 1.2.6 with the vulnerable API endpoint exposed. Remote attackers can potentially overwrite critical system files or deploy malicious payloads.

💻 Affected Systems

Products:

harry0703 MoneyPrinterTurbo

Versions: up to 1.2.6

Operating Systems: Any OS running MoneyPrinterTurbo

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with the API endpoint accessible are vulnerable by default.

📦 What is this software?

Moneyprinterturbo by Harry0703

View all CVEs affecting Moneyprinterturbo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary file write leading to remote code execution, data destruction, or backdoor installation.

🟠

Likely Case

Unauthorized file writes to web directories allowing web shell deployment, configuration file modification, or data exfiltration.

🟢

If Mitigated

Limited impact with proper file permission restrictions and input validation preventing traversal beyond allowed directories.

🌐 Internet-Facing: HIGH - Remote exploitation possible without authentication, making exposed instances immediate targets.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit but requires network access to the vulnerable endpoint.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit available, remote exploitation without authentication, simple path traversal attack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.7 or later

Vendor Advisory: https://github.com/harry0703/MoneyPrinterTurbo/releases

Restart Required: No

Instructions:

1. Update MoneyPrinterTurbo to version 1.2.7 or later. 2. Replace the vulnerable app/controllers/v1/music.py file. 3. No service restart required for Python applications.

🔧 Temporary Workarounds

Disable vulnerable API endpoint

all

Temporarily disable or block access to the /api/v1/music/upload endpoint

# Configure web server (nginx example)
location /api/v1/music/upload { deny all; }
# Or modify application routing to disable the endpoint

Implement input validation middleware

all

Add path traversal validation before file upload processing

# Python example: Validate filename
import os
filename = sanitize_filename(uploaded_file.filename)
if '..' in filename or filename.startswith('/'):
    raise ValueError('Invalid filename')

🧯 If You Can't Patch

Implement strict file permission restrictions on web server directories
Deploy WAF rules to block path traversal patterns in file upload requests

🔍 How to Verify

Check if Vulnerable:

Check if MoneyPrinterTurbo version is 1.2.6 or earlier and the /api/v1/music/upload endpoint is accessible.

Check Version:

Check package.json or application metadata for version, or examine git tags if installed from source.

Verify Fix Applied:

Verify version is 1.2.7 or later and test file upload with path traversal attempts returns error.

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations outside expected directories
API requests to /api/v1/music/upload with filenames containing '..' or '/' characters
Error logs showing path traversal attempts

Network Indicators:

HTTP POST requests to upload endpoints with suspicious filename parameters
Unusual outbound connections following file uploads

SIEM Query:

source="web_logs" AND (uri_path="/api/v1/music/upload" AND (filename="*..*" OR filename="*/*"))

📊 Metadata

CVE ID: CVE-2025-11607

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-22

EPSS Score: 0.13% exploit probability (32.7th percentile)

Published: October 11, 2025

Last Updated: February 24, 2026

🔗 References

https://vuldb.com/?ctiid.327929 Permissions Required,VDB Entry
https://vuldb.com/?id.327929 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.672550 Third Party Advisory,VDB Entry
https://www.notion.so/Arbitrary-File-Write-Vulnerability-in-MoneyPrinterTurbo-1-2-6-288014c4d9ca809bb411e4fe875d1e22 Permissions Required
https://www.notion.so/Arbitrary-File-Write-Vulnerability-in-MoneyPrinterTurbo-1-2-6-288014c4d9ca809bb411e4fe875d1e22 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11607, you might also want to check these: