CVE-2025-66022
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-26

Last updated on: 2026-01-02

Assigner: GitHub, Inc.

Description
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-26
Last Modified
2026-01-02
Generated
2026-06-16
AI Q&A
2025-11-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66022
EUVD
EUVD-2025-199690
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
owasp faction to 1.7.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in FACTION, a PenTesting Report Generation and Collaboration Framework, allows unauthenticated attackers to upload malicious extensions via the /portal/AppStoreDashboard endpoint due to a missing authentication check. These malicious extensions can execute arbitrary system commands on the server when lifecycle hooks are invoked, leading to remote code execution (RCE) on the host running FACTION. The issue was fixed in version 1.7.1.

Impact Analysis

An attacker exploiting this vulnerability can gain remote code execution on the server hosting FACTION without authentication. This can lead to full compromise of the server, including unauthorized access, data theft, service disruption, or further attacks within the network.

Mitigation Strategies

Upgrade FACTION to version 1.7.1 or later, as this version contains the patch that fixes the vulnerability by adding authentication checks to the /portal/AppStoreDashboard endpoint and preventing untrusted extension code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66022. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart