CVE-2025-24889
📋 TL;DR
A path traversal vulnerability in SecureDrop Client allows attackers with existing code execution in one virtual machine to achieve code execution in the isolated sd-log VM. This enables lateral movement between log-enabled VMs but not beyond the SecureDrop Workstation. Only SecureDrop Workstation users with versions before 0.14.1 or 1.0.1 are affected.
💻 Affected Systems
- SecureDrop Client
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains code execution in sd-log VM, potentially modifying configuration files to maintain persistence or disrupt logging functionality.
Likely Case
Attacker overwrites logs of other VMs or writes arbitrary files in user directories, potentially disrupting system functionality.
If Mitigated
With proper Qubes isolation, impact is limited to sd-log VM only, preventing further lateral movement or data exfiltration.
🎯 Exploit Status
Requires existing code execution in another VM on the same SecureDrop Workstation. Not remotely exploitable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.14.1 or 1.0.1
Vendor Advisory: https://github.com/freedomofpress/securedrop-client/security/advisories/GHSA-933q-fx9h-5g46
Restart Required: Yes
Instructions:
1. Update SecureDrop Client to version 0.14.1 or 1.0.1. 2. Restart all affected VMs. 3. Verify the patch is applied by checking version numbers.
🔧 Temporary Workarounds
Disable automatic log collection
linuxTemporarily disable centralized log collection to sd-log VM
Modify Qubes RPC policy to restrict log forwarding to sd-log
🧯 If You Can't Patch
- Implement strict monitoring of inter-VM communication via Qubes RPC policies
- Regularly audit log files in sd-log VM for suspicious entries or unexpected file modifications
🔍 How to Verify
Check if Vulnerable:
Check SecureDrop Client version: if below 0.14.1 or 1.0.1, system is vulnerable.Check Version:
Check the SecureDrop Client version in the application interface or package manager.Verify Fix Applied:
Confirm SecureDrop Client version is 0.14.1 or 1.0.1 and verify the commit 3012bf7289389b5ec0f5f4db0f009a17dee1f586 is present.📡 Detection & Monitoring
Log Indicators:
- Unusual log entries with crafted VM names containing path traversal sequences (../)
- Unexpected files in /home/user/.config/autostart/ directory
Network Indicators:
- Unusual Qubes RPC traffic patterns between VMs
SIEM Query:
Search for log entries containing path traversal patterns or unexpected file creation events in sd-log VM.