CVE-2025-64714
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-13

Last updated on: 2025-11-13

Assigner: GitHub, Inc.

Description
PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, an unauthenticated Local File Inclusion exists in the template-switching feature. If `templateselection` is enabled in the configuration, the server trusts the `template` cookie and includes the referenced PHP file. An attacker can read sensitive data or, if they manage to drop a PHP file elsewhere, gain remote code execution. The constructed path of the template file is checked for existence, then included. For PrivateBin project files this does not leak any secrets due to data files being created with PHP code that prevents execution, but if a configuration file without that line got created or the visitor figures out the relative path to a PHP script that directly performs an action without appropriate privilege checking, those might execute or leak information. The issue has been patched in version 2.0.3. As a workaround, set `templateselection = false` (which is the default) in `cfg/conf.php` or remove it entirely
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-13
Last Modified
2025-11-13
Generated
2026-05-07
AI Q&A
2025-11-13
EPSS Evaluated
2026-05-05
NVD
CVE-2025-64714
EUVD
EUVD-2025-175312
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
privatebin privatebin 2.0.3
privatebin privatebin 1.7.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an unauthenticated Local File Inclusion (LFI) in PrivateBin versions from 1.7.7 up to before 2.0.3. It occurs in the template-switching feature when the 'templateselection' setting is enabled. The server trusts the 'template' cookie and includes the referenced PHP file without proper validation. This can allow an attacker to read sensitive data or, if they can place a malicious PHP file on the server, execute remote code. The vulnerability arises because the server includes files based on user input without sufficient privilege checks or protections. It has been fixed in version 2.0.3, and a workaround is to disable 'templateselection' in the configuration.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker to read sensitive data stored on the server or potentially execute arbitrary code remotely if they manage to upload a malicious PHP file. This could lead to unauthorized access to confidential information or full compromise of the server hosting PrivateBin.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, set `templateselection = false` in the `cfg/conf.php` configuration file or remove the `templateselection` setting entirely. This disables the vulnerable template-switching feature. Additionally, upgrade PrivateBin to version 2.0.3 or later where the issue is patched.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart