CVE-2025-10009
BaseFortify
Publication date: 2025-09-22
Last updated on: 2025-09-22
Assigner: National Cyber Security Centre Finland
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| invoiceninja | invoiceninja | 5.11.72 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Invoice Ninja versions up to 5.11.72 involves improper handling of uploaded files in the admin 'Restore' function. Specifically, attackers who have admin credentials can upload malicious .php files that the system does not properly validate or sanitize, allowing them to execute arbitrary code on the server. This means an attacker could run any code they want on the server, potentially taking full control of it.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with admin access to execute arbitrary code on the server hosting Invoice Ninja. This can lead to full server compromise, including data theft, data manipulation, service disruption, or further attacks on connected systems. The attacker could upload malicious scripts that run with the server's privileges, potentially causing severe damage to your infrastructure and data integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on identifying unauthorized or suspicious .php file uploads via the admin "Restore" function. Since the vulnerability involves arbitrary code execution through uploaded .php files, monitoring upload directories for unexpected .php files is key. Commands to detect such files include: 1) Using find to locate .php files in upload or storage directories, e.g., `find /path/to/invoiceninja/storage/app/tmp/uploads -name '*.php'` 2) Checking web server logs for POST requests to the Restore function endpoint that include .php files. 3) Using file integrity monitoring tools to detect new or modified .php files in upload directories. 4) Using grep or similar tools to scan for suspicious file names or metadata in upload logs. However, no explicit detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Applying the security patch described in Resource 1, which enforces strict validation and sanitization of uploaded file metadata, limits chunk sizes, and securely handles file assembly and storage. 2) Restricting admin access to trusted users only, since the vulnerability requires admin credentials. 3) Monitoring and removing any unauthorized .php files in upload directories. 4) Configuring the web server to prevent execution of uploaded files in the upload directories (e.g., disabling PHP execution in those directories). 5) Reviewing and tightening file upload permissions and storage paths to ensure they follow the secure handling practices outlined in the patch. These steps help prevent arbitrary code execution via malicious uploaded files. [1]