CVE-2025-27410

Public Exploit

PwnDoc Arbitrary File Write to RCE using Path Traversal in backup restore as admin

Description

PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality is vulnerable to path traversal in the TAR entry's name, allowing an attacker to overwrite any file on the system with their content. By overwriting an included `.js` file and restarting the container, this allows for Remote Code Execution as an administrator. The remote code execution occurs because any user with the `backups:create` and `backups:update` (only administrators by default) is able to overwrite any file on the system. Version 1.2.0 fixes the issue.

References

Link	Tags
https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx	vendor advisory exploit
https://github.com/pwndoc/pwndoc/commit/98f284291d73d3a0b11d3181d845845c192d1080	patch
https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L527	product
https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0	release notes

Frequently Asked Questions

What is the severity of CVE-2025-27410?: CVE-2025-27410 has been scored as a medium severity vulnerability.
How to fix CVE-2025-27410?: To fix CVE-2025-27410, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-27410 being actively exploited in the wild?: It is possible that CVE-2025-27410 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~7% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-27410?: CVE-2025-27410 affects pwndoc pwndoc.

Description

Category

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References

Frequently Asked Questions