Plataforma
python
Componente
viewvc
Corregido en
1.1.1
1.2.1
CVE-2025-54141 is a high-severity vulnerability affecting ViewVC version 1.1.0 through 1.2.3. The standalone.py script, included with ViewVC, is susceptible to a directory traversal attack, allowing unauthorized access to the host server's filesystem. This vulnerability is addressed in version 1.2.4, and users are strongly advised to upgrade.
This directory traversal vulnerability allows an attacker to read arbitrary files from the host server's filesystem. By manipulating the standalone.py script, an attacker can bypass intended access controls and potentially retrieve sensitive data such as configuration files, source code, or even user credentials. The potential impact is significant, as a successful exploitation could lead to complete compromise of the server. While the standalone.py script is not typically used in production environments, its presence introduces a significant attack surface if left unpatched.
This vulnerability was publicly disclosed on 2025-07-22. No known public exploits or active campaigns have been reported at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation is relatively low, as it requires direct access to the ViewVC installation and knowledge of the standalone.py script's vulnerability.
Organizations running ViewVC version 1.1.0 through 1.2.3, particularly those with publicly accessible ViewVC instances or those who have not regularly patched their ViewVC installations, are at significant risk. Shared hosting environments where multiple users share the same server and ViewVC installation are also particularly vulnerable.
• python / file-system:
find /opt/viewvc -name standalone.py• generic web:
curl -I http://your-viewvc-server/standalone.py?file=/etc/passwd• generic web:
grep -r 'standalone.py' /var/log/apache2/access.logdisclosure
Estado del Exploit
EPSS
0.24% (47% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-54141 is to upgrade ViewVC to version 1.2.4 or later. If immediate upgrading is not possible, consider removing the standalone.py script from the ViewVC installation directory to eliminate the attack vector. While not a complete solution, restricting access to the ViewVC installation directory via firewall rules or access control lists can further reduce the risk. After upgrading, confirm the fix by attempting to access files outside the intended ViewVC directory via the standalone.py script; access should be denied.
Actualice ViewVC a la versión 1.1.31 o superior si está utilizando la rama 1.1.x, o a la versión 1.2.4 o superior si está utilizando la rama 1.2.x. Esto solucionará la vulnerabilidad de recorrido de directorios en el script standalone.py. Puede descargar la versión más reciente desde el sitio web oficial de ViewVC o desde el repositorio de código fuente.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-54141 is a high-severity vulnerability affecting ViewVC versions 1.1.0 through 1.2.3, allowing attackers to expose the host filesystem through the standalone.py script.
You are affected if you are running ViewVC versions 1.1.0 through 1.2.3. Upgrade to version 1.2.4 or later to resolve the vulnerability.
Upgrade ViewVC to version 1.2.4 or later. As a temporary workaround, remove the standalone.py script from the installation directory.
No active exploitation has been reported as of the disclosure date, but the vulnerability remains a risk until patched.
Refer to the official ViewVC security advisories on their website or mailing list for the latest information and updates.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo requirements.txt y te decimos al instante si estás afectado.