Plattform
python
Komponente
securedrop-client
Behoben in
0.14.2
CVE-2025-24888 describes a Path Traversal vulnerability discovered in the SecureDrop Client, a desktop application used by journalists to securely receive submissions from sources. This vulnerability allows a malicious SecureDrop Server to potentially gain code execution on the SecureDrop Client virtual machine (sd-app). The vulnerability affects versions of the SecureDrop Client prior to 0.14.1, and a fix is available in version 0.14.1.
The impact of this vulnerability is significant, as it allows a compromised SecureDrop Server to execute arbitrary code on the client machine. This could lead to complete compromise of the SecureDrop Client environment, allowing an attacker to steal sensitive data, install malware, or pivot to other systems on the journalist's network. Given SecureDrop's purpose of secure communication, a successful exploitation could expose confidential information and compromise the integrity of journalistic sources and reporting. The SecureDrop Server itself is designed with multiple layers of hardening, but this vulnerability bypasses those protections by exploiting a flaw in the client application.
This vulnerability was publicly disclosed on February 13, 2025. There is no indication of active exploitation at this time, but the severity and potential impact warrant immediate attention. The vulnerability's nature, involving a path traversal, suggests a potential for exploitation similar to other path traversal vulnerabilities, though no specific exploit details have been publicly released. The SecureDrop project is actively monitoring the situation.
News organizations and journalists who rely on SecureDrop for secure communication with sources are at significant risk. Specifically, those using older versions of the SecureDrop Client (≤ 0.14.1) and those with configurations where the SecureDrop Server is not adequately secured are particularly vulnerable.
• linux / server: Monitor SecureDrop Server logs for unusual file access attempts or connections to the SecureDrop Client. Use journalctl -f to monitor for suspicious activity.
journalctl -f | grep "sd-app" • python: Examine SecureDrop Client application logs for any errors related to file path manipulation or access. • generic web: If the SecureDrop Server exposes any web interfaces, check for unusual file requests or directory traversal attempts in access logs.
disclosure
Exploit-Status
EPSS
3.07% (87% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-24888 is to immediately upgrade the SecureDrop Client to version 0.14.1 or later. Prior to upgrading, it's crucial to back up the client's configuration and data. If upgrading causes compatibility issues, consider rolling back to a previous, known-stable version of the client, but understand this only provides temporary protection. Network segmentation between the SecureDrop Server and Client can limit the potential blast radius. Monitor network traffic for unusual connections between the server and client, looking for attempts to access files outside of expected directories. After upgrading, verify the fix by attempting to access files outside the intended directory from the SecureDrop Server; access should be denied.
Actualice SecureDrop Client a la versión 0.14.1 o superior. Esta versión corrige la vulnerabilidad de path traversal. La actualización se puede realizar a través de los canales de distribución habituales de SecureDrop.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-24888 is a Path Traversal vulnerability affecting SecureDrop Client versions prior to 0.14.1. It allows a malicious SecureDrop Server to potentially execute code on the client's virtual machine.
You are affected if you are using SecureDrop Client version 0.14.1 or earlier. Upgrade to 0.14.1 or later to mitigate the risk.
Upgrade the SecureDrop Client to version 0.14.1 or later. If immediate upgrade is not possible, isolate the client from potentially malicious servers.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention.
Refer to the official SecureDrop security advisories on their website: https://securedrop.email/security/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.