CVE-2025-1025
published 2025-02-05CVE-2025-1025: Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the…
PriorityP267high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
17.55%
96.8th percentile
Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| amazon | tough | >= 0 < 0.20.0 | 0.20.0 |
| cockpit-hq | cockpit | < 2.4.1 | 2.4.1 |
| cockpit-hq | cockpit | >= 0 < 2.4.1 | 2.4.1 |
| msrc | azl3_haproxy_2.9.11-3_on_azure_linux_3.0 | — | — |
| msrc | cbl2_haproxy_2.4.24-1_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/storage/uploads/
filename*.php / *.phtml / *.phar (uploaded via extension bypass)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cockpit Authenticated Arbitrary PHP File Upload (CVE-2025-1025)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:14; content:"/assets/upload"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|files|5b 5d 22 3b 20|filename|3d 22|"; pcre:"/^.*?\x2e(?:php|phtml|phar)/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-1025.yaml; reference:cve,2025-1025; classtype:attempted-admin; sid:2060780; rev:1; metadata:affected_product Cockpit, attack_target Web_Server, tls_state plaintext, created_at 2025_03_11, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →POST to /assets/upload with a multipart body where the filename field contains a .php, .phtml, or .phar extension is the core exploit pattern — match on URI length (bsize:14) plus the Content-Disposition header structure.
- →After a successful upload, the attacker GETs the uploaded file from /storage/uploads/<path> to confirm remote code execution — monitor for GET requests to that path returning PHP-generated output.
- →The exploit uses the WebKit multipart form boundary pattern; the specific boundary string seen in PoC traffic can be used as a supplementary network signature.
- →The vulnerability affects cockpit-hq/cockpit versions before 2.4.1; any instance below that version accepting file uploads should be treated as potentially compromised. ↗
- ·The Snort/Suricata rule (sid:2060780) is scoped to plaintext HTTP only (tls_state plaintext); HTTPS-terminated deployments will not be covered by this rule without SSL inspection.
- ·The rule requires authentication context ('Authenticated Arbitrary PHP File Upload') — the attacker must already hold valid credentials; unauthenticated upload attempts may follow a different traffic pattern.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.8HIGH
vendor_msrc6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
tough failure to detect delegated target rollback
ghsa·2025-03-28
CVE-2025-2887 [MEDIUM] CWE-1025 tough failure to detect delegated target rollback
tough failure to detect delegated target rollback
## Summary
When updating the snapshot role, TUF clients should ensure that any previously encountered targets or delegated targets metadata files continue to be present in new snapshot metadata files. Likewise, the new targets and delegated targets metadata versions must be greater than or equal to the previously encountered versions. While tough will perform this check for targets metadata files, it did not perform this check for delegated targets files.
## Impact
tough could fail to detect cases where delegated targets metadata was removed or rolled back to a previous version. As a result, tough could trust and download outdated targets that it should reject.
Impacted versions: < v0.20.0
## Patches
A fix for this issue is available
GHSA
tough timestamp metadata is cached when it fails snapshot rollback check
ghsa·2025-03-28
CVE-2025-2888 [MEDIUM] CWE-1025 tough timestamp metadata is cached when it fails snapshot rollback check
tough timestamp metadata is cached when it fails snapshot rollback check
## Summary
TUF repositories use the timestamp role to protect against rollback events by enabling an automated process to periodically sign the role's metadata. While tough will ensure that the version of snapshot metadata in new timestamp metadata files was always greater than or equal to the previously trusted version, it will only do so after persisting the timestamp metadata to its cache.
## Impact
If the tough client successfully detects a rollback event in which timestamp metadata contains outdated snapshot metadata, the invalid timestamp metadata will still be persisted to cache as trusted. tough may then subsequently incorrectly identify valid timestamp metadata as being rolled back, preventing the client
GHSA
Cockpit Arbitrary File Upload
ghsa·2025-02-05
CVE-2025-1025 [HIGH] CWE-434 Cockpit Arbitrary File Upload
Cockpit Arbitrary File Upload
Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.
OSV
Cockpit Arbitrary File Upload
osv·2025-02-05
CVE-2025-1025 [HIGH] Cockpit Arbitrary File Upload
Cockpit Arbitrary File Upload
Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.
Red Hat
kernel: mptcp: Fix proto fallback detection with BPF
vendor_redhat·2025-12-16·CVSS 5.5
CVE-2025-68227 [LOW] CWE-1025 kernel: mptcp: Fix proto fallback detection with BPF
kernel: mptcp: Fix proto fallback detection with BPF
In the Linux kernel, the following vulnerability has been resolved:
mptcp: Fix proto fallback detection with BPF
The sockmap feature allows bpf syscall from userspace, or based
on bpf sockops, replacing the sk_prot of sockets during protocol stack
processing with sockmap's custom read/write interfaces.
'''
tcp_rcv_state_process()
syn_recv_sock()/subflow_syn_recv_sock()
tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)
bpf_skops_established sk_prot to compare with the native sk_prot, but this
is incorrect when sockmap is used, as we may incorrectly set
sk->sk_socket->ops.
This fix uses the more generic sk_family for the comparison instead.
Additionally, this also prevents a WARNING from occurring:
result from ./scripts/decode_stackt
Red Hat
kernel: io_uring: fix incorrect io_kiocb reference in io_link_skb
vendor_redhat·2025-10-09·CVSS 7.8
CVE-2025-39963 [HIGH] CWE-1025 kernel: io_uring: fix incorrect io_kiocb reference in io_link_skb
kernel: io_uring: fix incorrect io_kiocb reference in io_link_skb
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix incorrect io_kiocb reference in io_link_skb
In io_link_skb function, there is a bug where prev_notif is incorrectly
assigned using 'nd' instead of 'prev_nd'. This causes the context
validation check to compare the current notification with itself instead
of comparing it with the previous notification.
Fix by using the correct prev_nd parameter when obtaining prev_notif.
Package: kernel (Red Hat Enterprise Linux 10) - Fix deferred
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Not affected
Package: kernel (Red Hat Ente
Red Hat
kernel: ACPI: pfr_update: Fix the driver update version check
vendor_redhat·2025-09-05·CVSS 7.8
CVE-2025-39701 [HIGH] CWE-1025 kernel: ACPI: pfr_update: Fix the driver update version check
kernel: ACPI: pfr_update: Fix the driver update version check
In the Linux kernel, the following vulnerability has been resolved:
ACPI: pfr_update: Fix the driver update version check
The security-version-number check should be used rather
than the runtime version check for driver updates.
Otherwise, the firmware update would fail when the update binary had
a lower runtime version number than the current one.
[ rjw: Changelog edits ]
Package: kernel (Red Hat Enterprise Linux 10) - Fix deferred
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Not affected
Package: kernel (Red Hat Enterprise Linux 8) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 8) - N
Red Hat
kernel: jbd2: remove wrong sb->s_sequence check
vendor_redhat·2025-05-09·CVSS 7.8
CVE-2025-37839 [HIGH] CWE-1025 kernel: jbd2: remove wrong sb->s_sequence check
kernel: jbd2: remove wrong sb->s_sequence check
In the Linux kernel, the following vulnerability has been resolved:
jbd2: remove wrong sb->s_sequence check
Journal emptiness is not determined by sb->s_sequence == 0 but rather by
sb->s_start == 0 (which is set a few lines above). Furthermore 0 is a
valid transaction ID so the check can spuriously trigger. Remove the
invalid WARN_ON.
Package: kernel (Red Hat Enterprise Linux 10) - Fix deferred
Package: kernel (Red Hat Enterprise Linux 6) - Out of support scope
Package: kernel (Red Hat Enterprise Linux 7) - Out of support scope
Package: kernel-rt (Red Hat Enterprise Linux 7) - Out of support scope
Package: kernel (Red Hat Enterprise Linux 8) - Out of support scope
Package: kernel-rt (Red Hat Enterprise Linux 8) - Out of support scope
Red Hat
haproxy: Buffer Overflow via Improper Back-Reference Replacement Length Check
vendor_redhat·2025-04-09·CVSS 6.8
CVE-2025-32464 [MEDIUM] CWE-1025 haproxy: Buffer Overflow via Improper Back-Reference Replacement Length Check
haproxy: Buffer Overflow via Improper Back-Reference Replacement Length Check
HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one.
A flaw was found in the HAProxy. This issue can allow a buffer overflow via improper length checking when replacing multiple regex back-references in a string. Specifically, the replacement size is incorrectly validated against the output buffer instead of the temporary trash buffer used during substitution. If multiple matches are replaced with strings larger than the available buffer size, this can lead to a memory overwrite.
Mitigation: Mitigation for this issue is either not available or the currently avail
Microsoft
HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer on
vendor_msrc·2025-04-08·CVSS 6.8
CVE-2025-32464 [MEDIUM] CWE-1025 HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer on
HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update t
Suricata
ET WEB_SPECIFIC_APPS Cockpit Authenticated Arbitrary PHP File Upload (CVE-2025-1025)
suricata·2025-03-11·CVSS 7.7
CVE-2025-1025 [HIGH] ET WEB_SPECIFIC_APPS Cockpit Authenticated Arbitrary PHP File Upload (CVE-2025-1025)
ET WEB_SPECIFIC_APPS Cockpit Authenticated Arbitrary PHP File Upload (CVE-2025-1025)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cockpit Authenticated Arbitrary PHP File Upload (CVE-2025-1025)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:14; content:"/assets/upload"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|files|5b 5d 22 3b 20|filename|3d 22|"; pcre:"/^.*?\x2e(?:php|phtml|phar)/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-1025.yaml; reference:cve,2025-1025; classtype:attempted-admin; sid:2060780; rev:1; metadata:affected_product Cockpit, attack_target Web_Server, tls_state plaintext, created_at 2025_03_11, deployment Perimeter, d
Nuclei
Cockpit < 2.4.1 - Arbitrary File Upload
nuclei·CVSS 7.7
CVE-2025-1025 [HIGH] Cockpit < 2.4.1 - Arbitrary File Upload
Cockpit
------WebKitFormBoundary3lKO5LogRxX0YStI--
matchers:
- type: word
part: body
words:
- '"uploaded":["{{randstr}}.php"]'
internal: true
extractors:
- type: json
name: upload_path
part: body
json:
- '.assets[0].path'
internal: true
- raw:
- |
GET /storage/uploads/{{upload_path}}?q={{base64(marker)}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- '{{marker}}'
# digest: 4a0a0047304502207928d3ac81e53a59652908260f75abc3720571866fdfa6a2b2ef549de2a7d05e022100a5d0732710b1e353cb06898adbb3cc9077e487c6302299a187c88ef38428943c:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://gist.github.com/CHOOCS/fe1227443544d5d74c33982814f290afhttps://github.com/Cockpit-HQ/Cockpit/commit/984ef9ad270357b843af63c81db95178eae42caehttps://github.com/Cockpit-HQ/Cockpit/commit/becca806c7071ecc732521bb5ad0bb9c64299592https://security.snyk.io/vuln/SNYK-PHP-COCKPITHQCOCKPIT-8516320https://gist.github.com/CHOOCS/fe1227443544d5d74c33982814f290af
2025-02-05
Published