CVE-2025-55011
BaseFortify
Publication date: 2025-08-12
Last updated on: 2025-08-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kanboard | kanboard | to 1.2.47 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-55011 is a path traversal vulnerability in the Kanboard project management software's Task File Upload API. Before version 1.2.47, the createTaskFile method did not validate whether the task_id parameter was a valid task ID nor check for path traversal sequences. This allowed an attacker to write files to arbitrary locations on the filesystem accessible by the application user by manipulating the task_id parameter to include path traversal characters (e.g., ../../../). Although the filename is hashed and has no extension, the attacker could still write files anywhere the app user can write, potentially leading to remote code execution in some installation scenarios. The vulnerability was patched in version 1.2.47 by adding proper validation and sanitization of file paths and task IDs. [1]
How can this vulnerability impact me? :
This vulnerability can allow a malicious actor with low privileges to write files to arbitrary locations on the server's filesystem where the Kanboard application user has write access. In default Docker installations, the impact is limited due to restricted writable directories and non-executable reverse shells. However, in manual installations where execution permissions are less restricted, an attacker could write and execute malicious files such as a PHP reverse shell in plugin directories, leading to remote code execution. This could compromise the server, allowing unauthorized access, data manipulation, or further attacks. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for suspicious API requests to the Kanboard createTaskFile method that include path traversal sequences in the task_id parameter (e.g., '../' or '..\\'). One can inspect web server logs or capture network traffic for JSON-RPC POST requests targeting the Task File Upload API with unusual task_id values. For example, using command-line tools: 1) To search web server logs for path traversal attempts: grep -E '\.\./|\.\.\\' /var/log/nginx/access.log | grep 'createTaskFile' 2) To capture and filter network traffic for suspicious POST requests (replace eth0 with your interface): sudo tcpdump -A -s 0 -i eth0 'tcp port 80 or tcp port 443' | grep -E 'createTaskFile|task_id.*\.\./' 3) Using curl to test for vulnerability by sending crafted JSON-RPC requests with path traversal in task_id (only in a controlled test environment). These methods help identify exploitation attempts or presence of malicious files written outside intended directories. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrade Kanboard to version 1.2.47 or later, where the vulnerability is patched. 2) If upgrading is not immediately possible, restrict write permissions of the Kanboard application user to only necessary directories, preventing file writes outside intended paths. 3) Monitor and block suspicious API requests containing path traversal sequences in the task_id parameter. 4) Apply network-level controls such as web application firewalls (WAF) to detect and block path traversal attempts targeting the createTaskFile API. 5) Review and harden server configurations to prevent execution of files in writable directories outside the data directory. The patch in version 1.2.47 sanitizes and validates file paths, enforces task existence and authorization checks, and prevents path traversal, effectively mitigating the issue. [1, 2]