CVE-2025-24886
📋 TL;DR
This vulnerability allows authenticated users (admin privileges not required) to perform Local File Inclusion (LFI) attacks on pwn.college CTFd containers by exploiting insufficient symlink validation when cloning repositories. Attackers can craft repositories with symlinks pointing to sensitive files and retrieve them through the web interface. All users of affected pwn.college/dojo installations are vulnerable.
💻 Affected Systems
- pwn.college/dojo
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete container compromise allowing access to sensitive configuration files, secrets, and potentially host system files if container mounts are misconfigured.
Likely Case
Unauthorized access to sensitive files within the CTFd container including configuration, secrets, and other user data.
If Mitigated
Limited impact with proper container isolation and minimal sensitive data in container filesystem.
🎯 Exploit Status
Requires authenticated user access and ability to create/craft malicious repositories with symlinks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest version with security fix
Vendor Advisory: https://github.com/pwncollege/dojo/security/advisories/GHSA-fcq8-jqq5-9xmh
Restart Required: No
Instructions:
1. Update pwn.college/dojo to latest version. 2. Ensure all containers are rebuilt with updated code. 3. Verify symlink validation is properly implemented.
🔧 Temporary Workarounds
Disable repository cloning
allTemporarily disable user ability to clone repositories through CTFd interface
Enhanced container isolation
allImplement stricter container isolation to limit file access
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to CTFd containers
- Regularly audit and monitor repository cloning activities for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check if your pwn.college/dojo installation allows repository cloning and test if symlinks can be created pointing to sensitive files.Check Version:
Check the dojo version in your deployment configuration or container imagesVerify Fix Applied:
Test repository cloning with symlinks to verify they are properly blocked or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual repository cloning patterns
- Multiple failed symlink creation attempts
- Access to sensitive file paths
Network Indicators:
- Unusual file retrieval patterns from CTFd containers
SIEM Query:
Search for repository cloning events followed by file access to sensitive paths