Scan free
HIGHCVE-2024-48931CVSS 7.5

CVE-2024-48931: Arbitrary File Access in ZimaOS

Platform

linux

Component

zimaos

Fixed in

1.2.5

AI Confidence: highNVDEPSS 0.5%Reviewed: May 2026
View on NVD
Save

CVE-2024-48931 describes an Arbitrary File Access vulnerability discovered in ZimaOS, a fork of CasaOS. This flaw allows authenticated users to read arbitrary files on the system by manipulating the files parameter in the /v3/file API endpoint. The vulnerability impacts versions of ZimaOS up to and including 1.2.4, and a patch is available in version 1.2.5.

Impact and Attack Scenarios

The primary impact of CVE-2024-48931 is the potential for unauthorized access to sensitive system files. An attacker who can exploit this vulnerability can read files such as /etc/shadow, which contains password hashes for all user accounts on the system. Successful exploitation could lead to privilege escalation, allowing the attacker to gain root access and completely compromise the ZimaOS instance. The ability to read configuration files and other sensitive data also presents a significant risk of data exfiltration and further system compromise. This vulnerability shares similarities with other file access vulnerabilities where improper input validation allows attackers to bypass security controls.

Exploitation Context

CVE-2024-48931 was publicly disclosed on 2024-10-24. The vulnerability is not currently listed on the CISA KEV catalog, and there are no publicly available proof-of-concept exploits at the time of writing. However, the ease of exploitation and the potential for significant impact suggest that it could become a target for attackers. The vulnerability's reliance on authentication means that attackers would need to obtain valid credentials to exploit it.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.53% (67% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentzimaos
VendorIceWhaleTech
Affected rangeFixed in
<= 1.2.4 – <= 1.2.41.2.5

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-48931 is to upgrade ZimaOS to version 1.2.5 or later, which includes the necessary fix. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /v3/file endpoint with suspicious files parameters. Specifically, look for parameters containing absolute paths or attempts to access system directories like /etc. Additionally, restrict access to the ZimaOS API to trusted networks and users. After upgrading, verify the fix by attempting to access a sensitive file (e.g., /etc/shadow) through the /v3/file endpoint; the request should be rejected.

How to fix

Actualizar a una versión parcheada cuando esté disponible. Como no hay una versión parcheada, se recomienda restringir el acceso a la API y monitorear el sistema en busca de accesos no autorizados hasta que se publique una actualización.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-48931 — Arbitrary File Access in ZimaOS?

CVE-2024-48931 is a HIGH severity vulnerability in ZimaOS versions ≤1.2.4 that allows authenticated users to read arbitrary files, potentially including sensitive system files like /etc/shadow.

Am I affected by CVE-2024-48931 in ZimaOS?

You are affected if you are running ZimaOS version 1.2.4 or earlier. Upgrade to version 1.2.5 to mitigate the risk.

How do I fix CVE-2024-48931 in ZimaOS?

Upgrade ZimaOS to version 1.2.5 or later. As a temporary workaround, implement a WAF rule to block suspicious requests to the /v3/file endpoint.

Is CVE-2024-48931 being actively exploited?

There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.

Where can I find the official ZimaOS advisory for CVE-2024-48931?

Refer to the ZimaOS official website and GitHub repository for the latest security advisories and updates related to CVE-2024-48931.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs