CVE-2025-67083
📋 TL;DR
CVE-2025-67083 is a directory traversal vulnerability in InvoicePlane that allows unauthenticated attackers to read arbitrary files from the server. The impact depends on web server configuration and permissions, potentially exposing sensitive data. All InvoicePlane installations through version 1.6.3 are affected.
💻 Affected Systems
- InvoicePlane
📦 What is this software?
Invoiceplane by Invoiceplane
⚠️ Risk & Real-World Impact
Worst Case
Attackers read sensitive files like configuration files, database credentials, or system files, leading to full system compromise or data breach.
Likely Case
Attackers read application configuration files containing database credentials or other sensitive information, enabling further attacks.
If Mitigated
Limited file access due to proper web server permissions and directory restrictions, exposing only non-sensitive files.
🎯 Exploit Status
Directory traversal attacks are well-understood and easy to automate. Public advisory includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.4 or later
Vendor Advisory: https://github.com/InvoicePlane/InvoicePlane
Restart Required: No
Instructions:
1. Backup your InvoicePlane installation and database. 2. Download InvoicePlane 1.6.4 or later from GitHub. 3. Replace all files except uploads and custom configuration. 4. Verify installation works correctly.
🔧 Temporary Workarounds
Web Server Path Restriction
allConfigure web server to restrict access to parent directories
# Apache: Ensure Directory directives restrict parent traversal
# Nginx: Use location blocks with proper path validation
File Permission Hardening
linuxRestrict read permissions on sensitive files
chmod 600 config/database.php
chmod 600 .env
chmod 600 other sensitive config files
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block directory traversal patterns
- Isolate InvoicePlane instance behind reverse proxy with strict path validation
🔍 How to Verify
Check if Vulnerable:
Check if InvoicePlane version is 1.6.3 or earlier. Attempt to access files outside web root using ../ sequences in URLs.Check Version:
Check includes/version.php or view footer in InvoicePlane admin interfaceVerify Fix Applied:
Verify version is 1.6.4 or later. Test directory traversal attempts return proper errors instead of file contents.📡 Detection & Monitoring
Log Indicators:
- Multiple requests with ../ patterns
- Access to unusual file paths in web logs
- Failed attempts to access sensitive files
Network Indicators:
- HTTP requests containing ../ sequences
- Unusual file extensions in GET parameters
SIEM Query:
web.url:*../* AND (web.status:200 OR web.status:403) AND dest.app:"InvoicePlane"