- Description
- GHOSTS is an open source user simulation framework for cyber experimentation, simulation, training, and exercise. A path traversal vulnerability was discovered in GHOSTS version 8.0.0.0 that allows an attacker to access files outside of the intended directory through the photo retrieval endpoint. The vulnerability exists in the /api/npcs/{id}/photo endpoint, which is designed to serve profile photos for NPCs (Non-Player Characters) but fails to properly validate and sanitize file paths. When an NPC is created with a specially crafted photoLink value containing path traversal sequences (../, ..\, etc.), the application processes these sequences without proper sanitization. This allows an attacker to traverse directory structures and access files outside of the intended photo directory, potentially exposing sensitive system files. The vulnerability is particularly severe because it allows reading arbitrary files from the server's filesystem with the permissions of the web application process, which could include configuration files, credentials, or other sensitive data. This issue has been addressed in version 8.2.7.90 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
- Source
- security-advisories@github.com
- NVD status
- Received
CVSS 4.0
- Type
- Secondary
- Base score
- 8.7
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- security-advisories@github.com
- CWE-22
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
1
🔎 VulnWatch Friday: CVE-2025-27092 🔓 Path traversal vulnerability found in GHOSTS v8.0.0.0. Attackers could access files outside intended directories. @github GHOSTS is an open-source user simulation framework for cyber simulation. @SEI_CMU 🔧Fix: Upgrade to v8.2.7.90 https
@kpoireault
21 Feb 2025
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-27092 🔴 HIGH (8.7) 🏢 cmu-sei - GHOSTS 🏗️ >= 8.0.0, < 8.2.7.90 🔗 https://t.co/GsxFfCqvuW 🔗 https://t.co/Ksqz0S7GGv #CyberCron #VulnAlert https://t.co/usxBoQpQWT
@cybercronai
21 Feb 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 High Security Vulnerability 🆔 CVE-2025-27092 💣 CVSS Score: 8.7 📅 Published Date: 2025-02-19 ⚠️ Details: GHOSTS is an open source user simulation framework for cyber experimentation, simulation, training, and exercise. A path traversal vulnerability was discovered in GHOSTS
@DarkWebInformer
19 Feb 2025
2338 Impressions
2 Retweets
12 Likes
3 Bookmarks
0 Replies
0 Quotes
CVE-2025-27092 GHOSTS is an open source user simulation framework for cyber experimentation, simulation, training, and exercise. A path traversal vulnerability was discovered in GHO… https://t.co/1e7lIUmITo
@CVEnew
19 Feb 2025
337 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-27092: HIGH] A path traversal vulnerability in GHOSTS v8.0.0.0 allows attackers to access sensitive files. Upgrade to v8.2.7.90 to fix the issue. #cybersecurity#cybersecurity,#vulnerability https://t.co/foZK5LKmZt https://t.co/9MDom994DE
@CveFindCom
19 Feb 2025
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes