CVE-2025-24372
📋 TL;DR
CVE-2025-24372 is a cross-site scripting (XSS) vulnerability in CKAN data management systems that allows authenticated users to upload malicious files containing executable code. When an administrator opens these files, the attacker can perform privilege escalation or other malicious actions. This affects CKAN versions before 2.10.7 and 2.11.2.
💻 Affected Systems
- CKAN
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains administrative privileges, leading to complete system compromise, data theft, or further attacks on the data portal and connected systems.
Likely Case
Authenticated users escalate privileges to administrator level, gaining unauthorized access to sensitive data and system controls.
If Mitigated
With proper file upload restrictions or patching, the attack vector is eliminated, preventing code execution through uploaded files.
🎯 Exploit Status
Exploitation requires user registration, file upload capability, and administrator interaction with the malicious file.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CKAN 2.10.7 and 2.11.2
Vendor Advisory: https://github.com/ckan/ckan/commit/7da6a26c6183e0a97a356d1b1d2407f3ecc7b9c8
Restart Required: No
Instructions:
1. Backup your CKAN instance and database. 2. Upgrade to CKAN 2.10.7 or 2.11.2 using your package manager or source installation method. 3. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Restrict File Upload Types
allConfigure CKAN to only allow safe file types for upload by users and groups.
ckan.upload.user.types = 'safe_mimetype1 safe_mimetype2'
ckan.upload.group.types = 'safe_mimetype1 safe_mimetype2'
Disable File Uploads
allCompletely disable file upload functionality for users.
ckan.upload.user.types = none
🧯 If You Can't Patch
- Implement strict file upload restrictions using CKAN configuration options to block potentially malicious file types.
- Monitor and audit file upload activities and administrator file interactions for suspicious behavior.
🔍 How to Verify
Check if Vulnerable:
Check your CKAN version; if it's below 2.10.7 or 2.11.2, you are vulnerable.Check Version:
ckan --versionVerify Fix Applied:
Confirm your CKAN version is 2.10.7 or 2.11.2 or higher after upgrade.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads from authenticated users, especially with non-standard file extensions or MIME types
- Administrator account activity showing access to recently uploaded files
Network Indicators:
- HTTP requests uploading files with potential malicious payloads to CKAN endpoints
SIEM Query:
source="ckan_logs" AND (event="file_upload" AND file_type NOT IN ("safe_types")) OR (user="admin" AND action="file_access")🔗 References
- https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-upload-group-mimetypes
- https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-upload-group-types
- https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-upload-user-mimetypes
- https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-upload-user-types
- https://github.com/ckan/ckan/commit/7da6a26c6183e0a97a356d1b1d2407f3ecc7b9c8
- https://github.com/ckan/ckan/security/advisories/GHSA-7pq5-qcp6-mcww
