CVE-2025-48868
📋 TL;DR
Horilla HRMS version 1.3.0 contains an authenticated Remote Code Execution vulnerability where privileged users (like administrators) can execute arbitrary system commands on the server. The vulnerability exists due to unsafe use of Python's eval() function on user-controlled query parameters in the project_bulk_archive view. This affects all Horilla 1.3.0 installations with authenticated privileged users.
💻 Affected Systems
- Horilla HRMS
📦 What is this software?
Horilla by Horilla
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, lateral movement, ransomware deployment, or complete system takeover.
Likely Case
Privileged user executes commands to exfiltrate sensitive HR data, install backdoors, or disrupt operations.
If Mitigated
Limited impact due to network segmentation, minimal privileges, and strong authentication controls.
🎯 Exploit Status
Exploitation requires authenticated privileged access. Public proof-of-concept exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.1
Vendor Advisory: https://github.com/horilla-opensource/horilla/security/advisories/GHSA-h6qj-pwmx-wjhw
Restart Required: Yes
Instructions:
1. Backup your Horilla instance and database. 2. Update Horilla to version 1.3.1 via pip: 'pip install horilla==1.3.1'. 3. Restart the Horilla application server. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Disable project_bulk_archive endpoint
allTemporarily disable or restrict access to the vulnerable view until patching.
Modify Django URL routing to remove/restrict access to project_bulk_archive
Implement WAF rules
allBlock requests containing eval() or suspicious Python commands in query parameters.
Add WAF rule: 'block if request_uri contains eval(' or contains '__import__'
🧯 If You Can't Patch
- Restrict privileged user accounts to only trusted personnel and implement multi-factor authentication.
- Implement network segmentation to isolate Horilla servers from critical infrastructure.
🔍 How to Verify
Check if Vulnerable:
Check Horilla version: if version is exactly 1.3.0, the system is vulnerable.Check Version:
pip show horilla | grep VersionVerify Fix Applied:
Verify Horilla version is 1.3.1 or higher and test that eval() is no longer used in project_bulk_archive.📡 Detection & Monitoring
Log Indicators:
- Unusual Python eval() calls in application logs
- Suspicious commands in query parameters to project_bulk_archive
- Unexpected process execution from Horilla user
Network Indicators:
- HTTP requests with Python code in query parameters
- Outbound connections from Horilla server to unknown IPs
SIEM Query:
source="horilla_logs" AND (message="eval" OR message="__import__" OR message="os.system")🔗 References
- https://drive.google.com/file/d/1XQAJilt77QxkjGEa94CsZRqZIZXa3ET9/view?usp=sharing
- https://drive.google.com/file/d/1hnI9AK3fnpVrTlTRF7aRJsKhZCDIm2Ve/view?usp=sharing
- https://github.com/horilla-opensource/horilla/commit/b0aab62b3a5fe6b7114b5c58db129b3744b4d8cc
- https://github.com/horilla-opensource/horilla/security/advisories/GHSA-h6qj-pwmx-wjhw
