CVE-2025-10009
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-22

Last updated on: 2025-09-22

Assigner: National Cyber Security Centre Finland

Description
Incorrect handling of uploaded files in the admin "Restore" function in Invoice Ninja <= 5.11.72 allows attackers with admin credentials to execute arbitrary code on the server via uploaded .php files.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-22
Last Modified
2025-09-22
Generated
2026-06-16
AI Q&A
2025-09-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10009
EUVD
EUVD-2025-30778
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
invoiceninja invoiceninja 5.11.72
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Invoice Ninja versions up to 5.11.72 involves improper handling of uploaded files in the admin 'Restore' function. Specifically, attackers who have admin credentials can upload malicious .php files that the system does not properly validate or sanitize, allowing them to execute arbitrary code on the server. This means an attacker could run any code they want on the server, potentially taking full control of it.

Impact Analysis

If exploited, this vulnerability allows an attacker with admin access to execute arbitrary code on the server hosting Invoice Ninja. This can lead to full server compromise, including data theft, data manipulation, service disruption, or further attacks on connected systems. The attacker could upload malicious scripts that run with the server's privileges, potentially causing severe damage to your infrastructure and data integrity.

Detection Guidance

Detection can focus on identifying unauthorized or suspicious .php file uploads via the admin "Restore" function. Since the vulnerability involves arbitrary code execution through uploaded .php files, monitoring upload directories for unexpected .php files is key. Commands to detect such files include: 1) Using find to locate .php files in upload or storage directories, e.g., `find /path/to/invoiceninja/storage/app/tmp/uploads -name '*.php'` 2) Checking web server logs for POST requests to the Restore function endpoint that include .php files. 3) Using file integrity monitoring tools to detect new or modified .php files in upload directories. 4) Using grep or similar tools to scan for suspicious file names or metadata in upload logs. However, no explicit detection commands are provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include: 1) Applying the security patch described in Resource 1, which enforces strict validation and sanitization of uploaded file metadata, limits chunk sizes, and securely handles file assembly and storage. 2) Restricting admin access to trusted users only, since the vulnerability requires admin credentials. 3) Monitoring and removing any unauthorized .php files in upload directories. 4) Configuring the web server to prevent execution of uploaded files in the upload directories (e.g., disabling PHP execution in those directories). 5) Reviewing and tightening file upload permissions and storage paths to ensure they follow the secure handling practices outlined in the patch. These steps help prevent arbitrary code execution via malicious uploaded files. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10009. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart