Platform
nodejs
Component
fuxa-server
Fixed in
1.2.12
1.2.11
CVE-2026-25951 describes a Path Traversal vulnerability discovered in fuxa-server. This flaw allows an authenticated administrator to bypass directory traversal protections, potentially leading to Remote Code Execution (RCE). The vulnerability impacts versions of fuxa-server prior to 1.2.11 and is a patch bypass of previous sanitization attempts. A fix is available in version 1.2.11.
The impact of CVE-2026-25951 is significant due to its potential for Remote Code Execution. An attacker, possessing administrative privileges, can exploit the flawed path sanitization logic by crafting malicious requests with nested traversal sequences (e.g., '....//'). This allows them to write arbitrary files to the server's filesystem, including sensitive directories such as 'runtime/scripts'. If the server reloads these malicious scripts, the attacker can execute arbitrary code, effectively gaining complete control over the system. This vulnerability is particularly concerning as it represents a bypass of previous security measures, indicating a deeper flaw in the application's design. The blast radius extends to any data accessible on the server filesystem, and the attacker could potentially use this foothold to compromise other systems on the network.
CVE-2026-25951 was publicly disclosed on 2026-02-10. The vulnerability's severity is considered HIGH (CVSS 7.5). There are currently no known public proof-of-concept exploits available, but the ease of exploitation (requiring only administrative privileges) suggests a high probability of exploitation if the vulnerability remains unpatched. It is not currently listed on the CISA KEV catalog. The description highlights this as a patch bypass, suggesting a potentially sophisticated attacker may be targeting this vulnerability.
Exploit Status
EPSS
0.04% (10% percentile)
CISA SSVC
The primary mitigation for CVE-2026-25951 is to immediately upgrade fuxa-server to version 1.2.11 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. Restrict administrative access to the server to only trusted users and implement strict input validation on all file paths. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious traversal sequences (e.g., '....//'). Monitor server logs for unusual file access patterns or attempts to write to sensitive directories. Sigma/YARA rules can be developed to detect malicious script files or unusual process execution patterns related to this vulnerability. After upgrading, confirm the fix by attempting to access a restricted directory using a traversal sequence; access should be denied.
Actualice FUXA a la versión 1.2.11 o posterior. Esta versión corrige la vulnerabilidad de path traversal que permite la ejecución remota de código. La actualización evitará que atacantes con privilegios administrativos exploten esta vulnerabilidad.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25951 is a Path Traversal vulnerability in fuxa-server allowing authenticated admins to bypass directory protections and potentially achieve Remote Code Execution.
You are affected if you are running a version of fuxa-server prior to 1.2.11 and have authenticated administrators with access to the server.
Upgrade fuxa-server to version 1.2.11 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting admin access and input validation.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a potential for active exploitation.
Refer to the fuxa-server project's official website or security advisory page for the latest information and updates regarding CVE-2026-25951.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.