CVE-2025-34095
BaseFortify
Publication date: 2025-07-10
Last updated on: 2025-07-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mako | server | 2.6 |
| mako | server | 2.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an OS command injection in Mako Server versions 2.5 and 2.6. It occurs in the tutorial interface at the examples/save.lsp endpoint, where an unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code. This code is saved on disk and later executed when a GET request is made to examples/manage.lsp, allowing remote command execution on the server's operating system.
How can this vulnerability impact me? :
The vulnerability allows an unauthenticated attacker to execute arbitrary commands on the underlying operating system remotely. This can lead to full system compromise, data theft, service disruption, or further attacks on the network, affecting both Windows and Unix-based deployments.