CVE-2025-57633
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-09-11

Assigner: MITRE

Description
A command injection vulnerability in FTP-Flask-python through 5173b68 allows unauthenticated remote attackers to execute arbitrary OS commands. The /ftp.html endpoint's "Upload File" action constructs a shell command from the ftp_file parameter and executes it using os.system() without sanitization or escaping.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-09-11
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-57633
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ajaypp123 ftp-flask-python *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-57633 is a command injection vulnerability in the FTP-Flask-python project. It occurs in the /ftp.html endpoint's 'Upload File' action, where the ftp_file parameter is directly used to build a shell command executed by os.system() without any sanitization or escaping. This allows unauthenticated remote attackers to inject and execute arbitrary operating system commands on the server. [1]

Impact Analysis

This vulnerability can allow unauthenticated remote attackers to execute arbitrary OS commands on the affected server. This could lead to unauthorized access, data theft, data modification, service disruption, or complete system compromise depending on the attacker's actions. [1]

Detection Guidance

This vulnerability can be detected by monitoring requests to the /ftp.html endpoint, specifically POST requests with the 'ftp_file' parameter. You can look for unusual or suspicious command injection patterns in the ftp_file parameter. On the server, checking logs for unexpected shell command executions triggered by the FTP-Flask-python application may help. Network intrusion detection systems (NIDS) can be configured to alert on suspicious payloads targeting the /ftp.html endpoint. Specific commands might include using tools like curl or wget to send crafted POST requests to /ftp.html with payloads attempting command injection, and monitoring server logs for execution results. For example, a test command could be: curl -X POST -F "ftp_file=;id;" http://target/ftp.html and then checking server logs for the output of the 'id' command. [1]

Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the /ftp.html endpoint, especially the 'Upload File' functionality, until a patch is applied. Input validation and sanitization should be implemented to prevent command injection, such as avoiding the use of os.system() with unsanitized input. Using safer alternatives like subprocess with argument lists or escaping inputs properly can help. Additionally, applying network-level restrictions to limit access to the vulnerable service and monitoring for exploitation attempts are recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-57633. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart