CVE-2025-68430
Unknown Unknown - Not Provided
Directory Listing Vulnerability in CVAT Allows File Exposure

Publication date: 2025-12-19

Last updated on: 2025-12-19

Assigner: GitHub, Inc.

Description
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.8.1 through 2.52.0, an attacker with an account on a CVAT instance is able to retrieve the contents of any file system directory accessible to the CVAT server. The exposed information is names of contained files and subdirectories. The contents of files are not accessible. Version 2.53.0 contains a patch. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-19
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68430
EUVD
EUVD-2025-204580
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
cvat-ai cvat 2.8.1
cvat-ai cvat 2.52.0
cvat-ai cvat 2.53.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-24 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker with a valid account to retrieve the names of files and subdirectories from any accessible directory on the CVAT server, potentially exposing directory structure information. Although the contents of files are not accessible, the disclosure of directory names could lead to information leakage that may impact compliance with data protection standards such as GDPR or HIPAA, which require safeguarding of sensitive information and limiting unauthorized access. Therefore, this vulnerability could pose a risk to compliance by exposing metadata that might aid further attacks or data discovery. [1]

Executive Summary

CVE-2025-68430 is a directory traversal vulnerability in CVAT versions 2.8.1 through 2.52.0. An attacker with a valid account on a CVAT instance can exploit this flaw to retrieve the names of files and subdirectories from any file system directory accessible to the CVAT server. This happens because the application improperly handles user-supplied directory parameters, failing to neutralize '../' sequences, which allows traversal outside the intended directory. However, the attacker cannot access the contents of the files themselves. The vulnerability is fixed in version 2.53.0. [1, 2]

Impact Analysis

This vulnerability allows an attacker with a low-privilege account on a CVAT server to discover the names of files and directories anywhere on the server that the CVAT process can access. While the attacker cannot read file contents or modify data, this information disclosure could aid in further attacks or reconnaissance. There is no impact on data integrity or availability, and no known workarounds exist. The vulnerability has a moderate severity score (CVSS 5.3). [1]

Detection Guidance

This vulnerability can be detected by attempting to access directory listings outside the intended directory on a CVAT server using directory traversal sequences such as "../../../../" in directory parameters. Since the vulnerability allows an attacker with a valid account to retrieve names of files and subdirectories, you can test by logging into a CVAT instance and issuing requests or using the web interface to specify directory paths containing traversal sequences to see if directory contents outside the allowed root are listed. Specific commands depend on the CVAT API or interface but generally involve sending requests with manipulated directory parameters to check if directory traversal is possible. [1, 2]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the CVAT installation to version 2.53.0 or later, where the vulnerability has been patched. There are no known workarounds available, so applying the official fix is necessary to prevent directory traversal attacks. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68430. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart