Plattform
python
Komponente
ml-logger
Behoben in
255.0.1
CVE-2025-10951 describes a Path Traversal vulnerability discovered in geyang ml-logger. This flaw allows attackers to potentially access sensitive files and directories on the server. The vulnerability affects versions of ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743, and a fix is available in version 255.0.1.
The Path Traversal vulnerability in ml-logger allows an attacker to manipulate the File argument within the log_handler function, enabling them to navigate outside the intended directory structure. This can lead to unauthorized access to sensitive files, including configuration files, source code, or even system files. Successful exploitation requires remote access to the ml-logger server. Given the publicly available exploit, the risk of exploitation is elevated. The potential impact includes data breaches, system compromise, and disruption of service.
CVE-2025-10951 is a publicly disclosed vulnerability with a known exploit. The availability of a public proof-of-concept significantly increases the likelihood of exploitation. While a KEV listing is not currently available, the high severity and public exploit warrant close monitoring. The vulnerability was published on 2025-09-25.
Organizations deploying ml-logger in production environments, particularly those handling sensitive data, are at risk. Environments with limited network segmentation or inadequate input validation are especially vulnerable. Shared hosting environments using ml-logger are also at increased risk due to the potential for cross-tenant exploitation.
• linux / server:
journalctl -u ml-logger -g 'path traversal'• generic web:
curl -I <ml-logger-endpoint> | grep -i 'path traversal'disclosure
poc
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-10951 is to upgrade ml-logger to version 255.0.1 or later. Due to the rolling release nature of this product, specific version details for affected and updated releases are not available, so ensure you are running the latest available version. As a temporary workaround, consider implementing strict input validation on the File argument within the log_handler function to prevent path traversal attempts. Additionally, configure a Web Application Firewall (WAF) to block requests containing suspicious path traversal patterns (e.g., ../). After upgrading, verify the fix by attempting to access a file outside the intended directory using a crafted request; access should be denied.
Actualice la biblioteca ml-logger a una versión posterior a acf255bade5be6ad88d90735c8367b28cbe3a743. Si no hay una versión disponible, revise el código de la función log_handler en server.py y corrija la vulnerabilidad de path traversal, validando y sanitizando la entrada del argumento File.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-10951 is a Path Traversal vulnerability affecting geyang ml-logger versions up to acf255bade5be6ad88d90735c8367b28cbe3a743, allowing attackers to access arbitrary files remotely.
If you are using ml-logger versions prior to 255.0.1, you are potentially affected by this vulnerability. Check your current version against the affected range.
Upgrade to ml-logger version 255.0.1 or later to address this vulnerability. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
A public proof-of-concept exists, indicating a high probability of active exploitation. Prioritize remediation to mitigate the risk.
Refer to the geyang ml-logger project's release notes or security advisories for the official announcement and details regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.