CVE-2025-24891

Published Jan 31, 2025

Last updated 22 days ago

CVSS critical 9.6

Overview

Description
Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as root by default, there is no limit to what can be overwritten. With this, it's possible to inject malicious payloads into files ran on schedule or upon certain service actions. As the service is not required to run with authentication enabled, this may permit wholly unprivileged users root access. Otherwise, anybody with a PIN.
Source
security-advisories@github.com
NVD status
Received

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.6
Impact score
6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-22

Social media

Hype score
Not currently trending

  1. How to Fix CVE-2025-24891: Mitigating the Critical Path Traversal Vulnerability in Dumb Drop File Upload Application? https://t.co/hkHK5Gp3bh https://t.co/OVJxi7u0Z3

    @TheSecMaster1

    3 Feb 2025

    1386 Impressions

    7 Retweets

    34 Likes

    11 Bookmarks

    1 Reply

    0 Quotes

  2. Alrighty CVE-2025-24891 - A path traversal vulnerability in Dumb Drop application that allows users with upload permissions to overwrite arbitrary system files. https://t.co/SWs6H5iNZ4

    @GrimmAnalyst

    1 Feb 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-24891 01/31/2025 11:15:08 PM BaseSeverity: CRITICAL Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulne... https://t.co/REmgw0EQAn

    @CVETracker

    1 Feb 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-24891 - Dumb Drop file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability. Container runs as root by default 🙄 https://t.co/suBjEDo5Pj

    @gothburz

    1 Feb 2025

    132 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. [CVE-2025-24891: CRITICAL] File upload app Dumb Drop has a serious path traversal vulnerability allowing users to overwrite system files, inject malicious payloads, gain root access, or anyone with a PIN.#cybersecurity,#vulnerability https://t.co/3gJyyEH9eM https://t.co/vGpu0AjuL

    @CveFindCom

    31 Jan 2025

    46 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-24891 Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary syste… https://t.co/yQPnzYDgBN

    @CVEnew

    31 Jan 2025

    613 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References