CVE-2025-27410 – CVE-2025-27410 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-27410?

CVE-2025-27410 has a CVSS score of 6.5 (MEDIUM). CVE-2025-27410 is a path traversal vulnerability in PwnDoc's backup restore functionality that allows authenticated administrators to overwrite arbitrary files on the system. By overwriting JavaScript files and restarting the container, attackers can achieve remote code execution with administrative privileges. This affects all PwnDoc installations prior to version 1.2.0.

📋 TL;DR

CVE-2025-27410 is a path traversal vulnerability in PwnDoc's backup restore functionality that allows authenticated administrators to overwrite arbitrary files on the system. By overwriting JavaScript files and restarting the container, attackers can achieve remote code execution with administrative privileges. This affects all PwnDoc installations prior to version 1.2.0.

💻 Affected Systems

Products:

PwnDoc (pwndoc)

Versions: All versions prior to 1.2.0

Operating Systems: All (container-based deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users with 'backups:create' and 'backups:update' permissions (administrators by default).

📦 What is this software?

Pwndoc by Pwndoc Project

View all CVEs affecting Pwndoc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through remote code execution leading to data theft, lateral movement, and persistent backdoors.

🟠

Likely Case

Administrative account takeover leading to unauthorized access to penetration test reports and sensitive client data.

🟢

If Mitigated

Limited impact if proper access controls restrict backup functionality to trusted administrators only.

🌐 Internet-Facing: MEDIUM - Requires authenticated admin access, but internet-facing instances increase attack surface.

🏢 Internal Only: MEDIUM - Internal attackers with admin credentials or compromised admin accounts can exploit this.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin credentials but is straightforward once authenticated. The vulnerability is well-documented in public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.0

Vendor Advisory: https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx

Restart Required: Yes

Instructions:

1. Stop the PwnDoc container. 2. Pull the latest image: 'docker pull pwndoc/pwndoc:1.2.0'. 3. Update docker-compose.yml to use version 1.2.0. 4. Restart the container: 'docker-compose up -d'.

🔧 Temporary Workarounds

Disable backup functionality

all

Remove backup permissions from all users to prevent exploitation

Modify user roles to remove 'backups:create' and 'backups:update' permissions

Restrict admin access

all

Implement strict access controls and MFA for administrative accounts

🧯 If You Can't Patch

Implement network segmentation to isolate PwnDoc instances from critical systems
Enable comprehensive logging and monitoring of backup-related activities and file modifications

🔍 How to Verify

Check if Vulnerable:

Check PwnDoc version via web interface or container inspection: 'docker exec <container_name> cat /app/package.json | grep version'

Check Version:

docker exec pwndoc_container cat /app/package.json | grep version

Verify Fix Applied:

Confirm version is 1.2.0 or higher and test backup restore functionality with malicious path traversal attempts

📡 Detection & Monitoring

Log Indicators:

Unusual backup restore activities
File modification events in system directories
Administrative account login anomalies

Network Indicators:

Unexpected outbound connections from PwnDoc container
Suspicious file uploads to backup endpoints

SIEM Query:

source="pwnedoc" AND (event="backup_restore" OR event="file_write") AND path CONTAINS ".."

📊 Metadata

CVE ID: CVE-2025-27410

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-22

EPSS Score: 21.64% exploit probability (95.6th percentile)

Published: February 28, 2025

Last Updated: April 16, 2025

🔗 References

https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L527 Product
https://github.com/pwndoc/pwndoc/commit/98f284291d73d3a0b11d3181d845845c192d1080 Patch
https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0 Release Notes
https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx Exploit,Vendor Advisory
https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27410, you might also want to check these: