Platform
docker
Component
dumbdrop
Fixed in
256.0.1
CVE-2025-24891 describes a critical Path Traversal vulnerability affecting the DumbDrop file upload application, specifically within its Docker containerized deployment. This vulnerability allows unauthorized users, even those without authentication, to overwrite arbitrary system files. The impact is severe because the container typically runs as root, enabling attackers to inject malicious payloads and potentially achieve full system compromise. Affected versions are those with a SHA256 hash of 'bd110df9fcab4fb9c384c245345b7dd34e52d2cabc3cda9bfbbbc5ffb0606d97' or earlier; the fix is available in version 256.0.1.
The Path Traversal vulnerability in DumbDrop allows an attacker to bypass intended file system restrictions. Given that the container runs as root by default, an attacker can overwrite any file on the system. This includes critical system binaries, configuration files, and scheduled tasks. Successful exploitation could lead to complete system takeover, allowing the attacker to execute arbitrary code, steal sensitive data, and establish persistent access. The lack of authentication requirements further exacerbates the risk, as even unauthenticated users with a PIN can potentially exploit this vulnerability. The potential for root access makes this a high-impact vulnerability with a significant blast radius.
CVE-2025-24891 is a high-severity vulnerability with a CRITICAL CVSS score. While no public exploits have been reported as of the publication date, the ease of exploitation and the potential for root access make it a likely target for attackers. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is anticipated given the simplicity of the attack vector.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-24891 is to upgrade DumbDrop to version 256.0.1 or later, which contains the fix for the Path Traversal vulnerability. If an immediate upgrade is not feasible due to compatibility issues or downtime constraints, consider implementing temporary workarounds. These may include restricting file upload permissions to trusted users only, implementing strict file name validation to prevent path traversal attempts, and configuring a Web Application Firewall (WAF) to block requests containing suspicious path traversal patterns (e.g., '../'). Monitor container logs for unusual file access patterns. After upgrading, verify the fix by attempting a path traversal attack and confirming that the attempt is blocked.
Update DumbDrop to the version that fixes the path traversal (path traversal) vulnerability. Ensure that the application does not run as root or implement appropriate access controls to restrict access to unauthorized users. Consider enabling authentication to prevent unauthorized access.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-24891 is a critical Path Traversal vulnerability in DumbDrop, allowing attackers to overwrite system files within the Docker container, potentially leading to root access.
You are affected if you are running DumbDrop in a Docker container with a SHA256 hash of 'bd110df9fcab4fb9c384c245345b7dd34e52d2cabc3cda9bfbbbc5ffb0606d97' or earlier.
Upgrade DumbDrop to version 256.0.1 or later to remediate the vulnerability. Consider temporary workarounds like restricting file upload permissions if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation makes it a likely target for attackers.
Refer to the DumbDrop project's official website or repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Dockerfile file and we'll tell you instantly if you're affected.