CVE-2025-24891

CRITICAL

Dumb Drop - Path Traversal

Title source: llm

Description

Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as root by default, there is no limit to what can be overwritten. With this, it's possible to inject malicious payloads into files ran on schedule or upon certain service actions. As the service is not required to run with authentication enabled, this may permit wholly unprivileged users root access. Otherwise, anybody with a PIN.

References (2)

[Vendor Advisory] https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-24f2-fv38-3274

[Patch] https://github.com/DumbWareio/DumbDrop/commit/cb586316648ccbfb21d27b84e90d72ccead9819d

View Patch ZIP pw:eip

Scores

CVSS v3 9.6

EPSS 0.0013

EPSS Percentile 31.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-22 CWE-276

Status published

Products (1)

DumbWareio/DumbDrop = sha256:bd110df9fcab4fb9c384c245345b7dd34e52d2cabc3cda9bfbbbc5ffb0606d97

Published Jan 31, 2025

Tracked Since Feb 18, 2026