CVE-2025-69618
Arbitrary File Overwrite in Tarot v11.4.0 Enables Code Execution
Publication date: 2026-02-04
Last updated on: 2026-03-13
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coto.world | coto | 11.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-69618 is an arbitrary file overwrite vulnerability in the file import process of the Tarot, Astro & Healing Android app version 11.4.0 developed by COMMUNITY PLATFORM PTE.LTD.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the app does not properly validate file paths during import, allowing an attacker to use path traversal techniques to overwrite critical internal files within the app's storage."}, {'type': 'paragraph', 'content': 'This flaw can be exploited by a malicious app that sends a specially crafted intent to the vulnerable app, causing it to overwrite sensitive files such as configuration or executable files.'}] [2]
How can this vulnerability impact me? :
Exploitation of this vulnerability can have severe impacts including arbitrary code execution, exposure of sensitive information, denial of service, app malfunction, or failure to launch.
Because the attacker can overwrite internal files, they may inject malicious code or disrupt the normal operation of the app, potentially compromising the device or user data.
The attack requires minimal user interaction and can be triggered automatically when the victim opens the malicious app.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-69618 involves monitoring for suspicious file import activities in the Tarot, Astro & Healing app (version 11.4.0), especially those that attempt path traversal to overwrite internal files.
One approach is to check for unexpected modifications to sensitive internal files such as /data/data/world.eve.coto/shared_prefs/WebViewChromiumPrefs.xml, which can be overwritten by the exploit.
On a rooted Android device or emulator, you can use commands like:
- adb shell ls -l /data/data/world.eve.coto/shared_prefs/WebViewChromiumPrefs.xml
- adb shell stat /data/data/world.eve.coto/shared_prefs/WebViewChromiumPrefs.xml
- adb shell cat /data/data/world.eve.coto/shared_prefs/WebViewChromiumPrefs.xml
Additionally, monitoring app intents with action ACTION_SEND targeting the vulnerable MainActivity for suspicious file URIs with crafted _display_name parameters can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Avoid importing files from untrusted sources into the Tarot, Astro & Healing app version 11.4.0.
- Restrict or monitor app permissions that allow file imports or access to internal storage.
- If possible, update the app to a version where this vulnerability is patched.
- Monitor for unusual app behavior such as crashes, failure to launch, or unexpected changes in configuration files.
Since the vulnerability arises from improper validation of imported file paths, applying input validation or sandboxing measures at the app level is recommended once a patch is available.