Login Sign Up

CVE-2025-24888

8.1 HIGH
Remote Code Execution Path Traversal

📋 TL;DR

This vulnerability allows a compromised SecureDrop Server to execute arbitrary code on the SecureDrop Client virtual machine by exploiting improper path validation during file downloads. It affects SecureDrop Client versions prior to 0.14.1. The attack requires server compromise and cannot be performed by unauthenticated remote attackers.

💻 Affected Systems

Products:
  • SecureDrop Client
Versions: All versions prior to 0.14.1
Operating Systems: Qubes OS (specifically the sd-app VM)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects SecureDrop Workstations communicating with a compromised SecureDrop Server. The vulnerability is in the client-side file handling logic.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the SecureDrop Client VM (sd-app) allowing attacker to read sensitive journalist communications, modify submissions, or pivot to other systems in the SecureDrop Workstation environment.

🟠

Likely Case

Limited code execution within the sd-app VM, potentially allowing monitoring of journalist activities or exfiltration of decrypted communications if combined with other vulnerabilities.

🟢

If Mitigated

Attack fails due to proper server hardening and monitoring, with only failed file writes detected in logs.

🌐 Internet-Facing: LOW - The SecureDrop Server is only exposed via Tor hidden services, and the vulnerability requires server compromise first.
🏢 Internal Only: HIGH - Once a server is compromised, this provides direct code execution on connected client workstations.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires server compromise first, then crafting malicious HTTP responses with path traversal in Content-Disposition headers. No known exploitation in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.14.1

Vendor Advisory: https://github.com/freedomofpress/securedrop-client/security/advisories/GHSA-6c3p-chq6-q3j2

Restart Required: No

Instructions:

1. Update SecureDrop Client to version 0.14.1 or later. 2. Verify the update completed successfully. 3. No VM restart required as this is an application update within the sd-app VM.

🔧 Temporary Workarounds

Monitor server integrity

all

Implement enhanced monitoring and integrity checks on SecureDrop Server to detect compromise early

Restrict autostart directory

linux

Set immutable flag on /home/user/.config/autostart/ directory to prevent file creation

sudo chattr +i /home/user/.config/autostart/

🧯 If You Can't Patch

  • Isolate SecureDrop Workstation from potentially compromised servers
  • Implement strict file integrity monitoring on the sd-app VM, particularly watching for files written outside expected directories

🔍 How to Verify

Check if Vulnerable:

Check SecureDrop Client version: if version < 0.14.1, system is vulnerable

Check Version:

Check the SecureDrop Client application version through the GUI or examine the installed package version in the sd-app VM

Verify Fix Applied:

Verify SecureDrop Client version is 0.14.1 or higher and check that the fix commit (120bac14649db0bcf5f24f2eb82731c76843b1ba) is present in the codebase

📡 Detection & Monitoring

Log Indicators:

  • Failed safe_move() operations with path traversal errors
  • Files written to unexpected directories outside /home/user/.securedrop_client/data
  • Autostart files created in /home/user/.config/autostart/ with suspicious content

Network Indicators:

  • Unusual HTTP responses from SecureDrop Server with crafted Content-Disposition headers

SIEM Query:

Search for 'safe_move failed' or 'path traversal detected' in SecureDrop Client logs, combined with file creation events in unexpected directories

📊 Metadata

CVE ID: CVE-2025-24888
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
EPSS Score: 1% exploit probability (76.5th percentile)
Published: February 13, 2025
Last Updated: February 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24888, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)