CVE-2025-24366
HIGHSFTPGo 0.9.5-2.6.4 - Authenticated OS Command Injection via Rsync Command
Title source: llmDescription
SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided `rsync` command, an authenticated remote user can use some options of the rsync command to read or write files with the permissions of the SFTPGo server process. This issue was fixed in version v2.6.5 by checking the client provided arguments. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/drakkan/sftpgo/security/advisories/GHSA-vj7w-3m8c-6vpx
Scores
CVSS v3
7.5
EPSS
0.0067
EPSS Percentile
47.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (3)
drakkan/sftpgo
0Go
drakkan/sftpgo
0.9.5 - 2.6.5Go
drakkan/sftpgo
>= 0.9.5, < 2.6.5
Published
Feb 07, 2025
Tracked Since
Feb 18, 2026