CVE-2025-68430
Directory Listing Vulnerability in CVAT Allows File Exposure
Publication date: 2025-12-19
Last updated on: 2025-12-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cvat-ai | cvat | 2.8.1 |
| cvat-ai | cvat | 2.52.0 |
| cvat-ai | cvat | 2.53.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-24 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker with a valid account to retrieve the names of files and subdirectories from any accessible directory on the CVAT server, potentially exposing directory structure information. Although the contents of files are not accessible, the disclosure of directory names could lead to information leakage that may impact compliance with data protection standards such as GDPR or HIPAA, which require safeguarding of sensitive information and limiting unauthorized access. Therefore, this vulnerability could pose a risk to compliance by exposing metadata that might aid further attacks or data discovery. [1]
Can you explain this vulnerability to me?
CVE-2025-68430 is a directory traversal vulnerability in CVAT versions 2.8.1 through 2.52.0. An attacker with a valid account on a CVAT instance can exploit this flaw to retrieve the names of files and subdirectories from any file system directory accessible to the CVAT server. This happens because the application improperly handles user-supplied directory parameters, failing to neutralize '../' sequences, which allows traversal outside the intended directory. However, the attacker cannot access the contents of the files themselves. The vulnerability is fixed in version 2.53.0. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an attacker with a low-privilege account on a CVAT server to discover the names of files and directories anywhere on the server that the CVAT process can access. While the attacker cannot read file contents or modify data, this information disclosure could aid in further attacks or reconnaissance. There is no impact on data integrity or availability, and no known workarounds exist. The vulnerability has a moderate severity score (CVSS 5.3). [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access directory listings outside the intended directory on a CVAT server using directory traversal sequences such as "../../../../" in directory parameters. Since the vulnerability allows an attacker with a valid account to retrieve names of files and subdirectories, you can test by logging into a CVAT instance and issuing requests or using the web interface to specify directory paths containing traversal sequences to see if directory contents outside the allowed root are listed. Specific commands depend on the CVAT API or interface but generally involve sending requests with manipulated directory parameters to check if directory traversal is possible. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the CVAT installation to version 2.53.0 or later, where the vulnerability has been patched. There are no known workarounds available, so applying the official fix is necessary to prevent directory traversal attacks. [1]