Exploitation Summary
EIP tracks 1 public exploit for CVE-2025-24971. PoCs published by be4zad.
AI-analyzed exploit summary This PoC exploits a command injection vulnerability in DumbDrop by manipulating the filename parameter during file upload initialization. The payload is injected via the filename field, allowing arbitrary command execution on the target system.
Description
DumpDrop is a stupid simple file upload application that provides an interface for dragging and dropping files. An OS Command Injection vulnerability was discovered in the DumbDrop application, `/upload/init` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely when the **Apprise Notification** enabled. This issue has been addressed in commit `4ff8469d` and all users are advised to patch. There are no known workarounds for this vulnerability.
Exploits (1)
This PoC exploits a command injection vulnerability in DumbDrop by manipulating the filename parameter during file upload initialization. The payload is injected via the filename field, allowing arbitrary command execution on the target system.
References (2)
Scores
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X