Platform
other
Component
apollo
Fixed in
2.8.0
CVE-2025-23410 describes a critical Path Traversal vulnerability affecting GMOD Apollo versions 0.0 through 2.8.0. This flaw allows attackers to potentially read sensitive files on the server by manipulating file uploads through the web interface. A patch is available in version 2.8.0, and users are strongly advised to upgrade immediately to mitigate the risk.
The vulnerability lies in how GMOD Apollo handles uploaded organism and sequence data. Specifically, when users upload files via the web interface, Apollo unzips and inspects them without proper path validation for archive types. An attacker can craft a malicious archive containing path traversal sequences (e.g., ../../../../etc/passwd) within the archive's file structure. Upon extraction, Apollo will attempt to access these files, potentially exposing sensitive system files or application configuration data. The blast radius extends to any data accessible by the Apollo process, potentially including user credentials, database connection strings, and other confidential information. This vulnerability is particularly concerning given the potential for unauthorized access and data exfiltration.
CVE-2025-23410 has been publicly disclosed on 2025-03-04. The CVSS score of 9.8 (CRITICAL) indicates a high probability of exploitation. No public proof-of-concept (POC) code has been released at the time of this writing, but the simplicity of path traversal vulnerabilities suggests that a POC is likely to emerge. It is not currently listed on the CISA KEV catalog, but its critical severity warrants close monitoring.
Exploit Status
EPSS
0.43% (63% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-23410 is to upgrade GMOD Apollo to version 2.8.0 or later, which includes the necessary path validation fixes. If immediate upgrading is not possible, consider implementing temporary workarounds. These may include restricting file upload types to only those absolutely necessary, implementing strict file size limits, and employing a Web Application Firewall (WAF) with rules to detect and block attempts to include path traversal sequences in uploaded files. Regularly review and audit file upload processes to identify and address potential vulnerabilities. After upgrading, confirm the fix by attempting to upload a test archive containing a path traversal sequence and verifying that Apollo denies access.
Update GMOD Apollo to version 2.8.0 or higher. This version corrects the path traversal vulnerability by properly validating the file paths extracted from archive files. See the release notes for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-23410 is a critical vulnerability in GMOD Apollo versions 0.0-2.8.0 that allows attackers to read arbitrary files on the server through manipulated file uploads.
If you are using GMOD Apollo versions 0.0 through 2.8.0, you are potentially affected by this vulnerability. Upgrade to version 2.8.0 or later to mitigate the risk.
The recommended fix is to upgrade GMOD Apollo to version 2.8.0 or later. As a temporary workaround, restrict file upload types and implement WAF rules to block path traversal attempts.
While no public exploits are currently known, the vulnerability's critical severity and ease of exploitation suggest a high likelihood of active exploitation.
Please refer to the official GMOD security advisories on their website for the most up-to-date information regarding CVE-2025-23410 and related updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.