CVE-2025-27092
📋 TL;DR
A path traversal vulnerability in GHOSTS version 8.0.0.0 allows attackers to read arbitrary files from the server's filesystem by exploiting the photo retrieval endpoint. This affects all users running vulnerable versions of the GHOSTS user simulation framework, potentially exposing sensitive configuration files, credentials, and other system data.
💻 Affected Systems
- GHOSTS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like SSH keys, database credentials, or configuration files containing secrets, potentially leading to lateral movement or data exfiltration.
Likely Case
Exposure of sensitive application configuration files, user data, or system information that could be used for further attacks or reconnaissance.
If Mitigated
Limited impact if proper file permissions restrict web application process access to sensitive directories and files.
🎯 Exploit Status
Exploitation requires creating or modifying an NPC with a malicious photoLink value containing path traversal sequences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.2.7.90
Vendor Advisory: https://github.com/cmu-sei/GHOSTS/security/advisories/GHSA-qr67-m6w9-wj3j
Restart Required: No
Instructions:
1. Backup your GHOSTS configuration and data. 2. Stop the GHOSTS service. 3. Upgrade to version 8.2.7.90 or later using your package manager or by downloading from GitHub. 4. Restart the GHOSTS service.
🔧 Temporary Workarounds
No known workarounds
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Implement strict network access controls to limit access to the GHOSTS API endpoints to trusted sources only.
- Apply strict file system permissions to limit the web application process's access to sensitive directories and files.
🔍 How to Verify
Check if Vulnerable:
Check if your GHOSTS version is between 8.0.0.0 and versions before 8.2.7.90 by examining the application version or configuration files.Check Version:
Check the GHOSTS application logs, configuration files, or use the application's admin interface to determine the version.Verify Fix Applied:
Verify the installed version is 8.2.7.90 or later and test the /api/npcs/{id}/photo endpoint with path traversal attempts to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /api/npcs/*/photo endpoint containing ../ or ..\ sequences
- Failed file access attempts outside expected photo directories
Network Indicators:
- HTTP requests to photo endpoint with path traversal patterns in parameters
SIEM Query:
source="ghosts" AND (uri_path="/api/npcs/*/photo" AND (request_parameters CONTAINS "../" OR request_parameters CONTAINS "..\\"))