{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24366", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-01-20T15:18:26.990Z", "datePublished": "2025-02-07T21:16:40.375Z", "dateUpdated": "2025-02-07T22:49:18.456Z"}, "containers": {"cna": {"title": "Insufficient sanitization of user provided rsync command in SFTPGo", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-vj7w-3m8c-6vpx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-vj7w-3m8c-6vpx"}, {"name": "https://github.com/drakkan/sftpgo/commit/b347ab6051f6c501da205c09315fe99cd1fa3ba1", "tags": ["x_refsource_MISC"], "url": "https://github.com/drakkan/sftpgo/commit/b347ab6051f6c501da205c09315fe99cd1fa3ba1"}], "affected": [{"vendor": "drakkan", "product": "sftpgo", "versions": [{"version": ">= 0.9.5, < 2.6.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-07T21:16:40.375Z"}, "descriptions": [{"lang": "en", "value": "SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided `rsync` command, an authenticated remote user can use some options of the rsync command to read or write files with the permissions of the SFTPGo server process. This issue was fixed in version v2.6.5 by checking the client provided arguments. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-vj7w-3m8c-6vpx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-07T22:49:03.247256Z", "id": "CVE-2025-24366", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-07T22:49:18.456Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-24366", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-07T22:49:03.247256Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-07T22:49:10.910Z"}}], "cna": {"title": "Insufficient sanitization of user provided rsync command in SFTPGo", "source": {"advisory": "GHSA-vj7w-3m8c-6vpx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "drakkan", "product": "sftpgo", "versions": [{"status": "affected", "version": ">= 0.9.5, < 2.6.5"}]}], "references": [{"url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-vj7w-3m8c-6vpx", "name": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-vj7w-3m8c-6vpx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/drakkan/sftpgo/commit/b347ab6051f6c501da205c09315fe99cd1fa3ba1", "name": "https://github.com/drakkan/sftpgo/commit/b347ab6051f6c501da205c09315fe99cd1fa3ba1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided `rsync` command, an authenticated remote user can use some options of the rsync command to read or write files with the permissions of the SFTPGo server process. This issue was fixed in version v2.6.5 by checking the client provided arguments. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-07T21:16:40.375Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24366", "state": "PUBLISHED", "dateUpdated": "2025-02-07T22:49:18.456Z", "dateReserved": "2025-01-20T15:18:26.990Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-02-07T21:16:40.375Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided `rsync` command, an authenticated remote user can use some options of the rsync command to read or write files with the permissions of the SFTPGo server process. This issue was fixed in version v2.6.5 by checking the client provided arguments. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "SFTPGo es una soluci\u00f3n de transferencia de archivos basada en eventos y de c\u00f3digo abierto. SFTPGo admite la ejecuci\u00f3n de un conjunto definido de comandos a trav\u00e9s de SSH. Adem\u00e1s de un conjunto de comandos predeterminados, se pueden activar algunos comandos opcionales, uno de ellos es `rsync`. Est\u00e1 deshabilitado en la configuraci\u00f3n predeterminada y est\u00e1 limitado al sistema de archivos local; no funciona con backends de almacenamiento remoto o en la nube. Debido a la falta de depuraci\u00f3n del comando `rsync` proporcionado por el cliente, un usuario remoto autenticado puede usar algunas opciones del comando rsync para leer o escribir archivos con los permisos del proceso del servidor SFTPGo. Este problema se solucion\u00f3 en la versi\u00f3n v2.6.5 al verificar los argumentos proporcionados por el cliente. Se recomienda a los usuarios que actualicen. No existen workarounds para esta vulnerabilidad."}], "id": "CVE-2025-24366", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-02-07T22:15:14.463", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/drakkan/sftpgo/commit/b347ab6051f6c501da205c09315fe99cd1fa3ba1"}, {"source": "security-advisories@github.com", "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-vj7w-3m8c-6vpx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}