CVE-2025-27410

MEDIUM

pwndoc < 1.2.0 - Authenticated Path Traversal and Remote Code Execution via Backup Restore

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-27410. PoCs published by shreyas-malhotra.

AI-analyzed exploit summary This PoC exploits a directory traversal vulnerability in PwnDoc's backup restore functionality (CVE-2025-27410) to achieve arbitrary file write and remote code execution. It crafts a malicious tar archive to overwrite a JavaScript module, injecting arbitrary code execution via child_process.execSync.

Description

PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality is vulnerable to path traversal in the TAR entry's name, allowing an attacker to overwrite any file on the system with their content. By overwriting an included `.js` file and restarting the container, this allows for Remote Code Execution as an administrator. The remote code execution occurs because any user with the `backups:create` and `backups:update` (only administrators by default) is able to overwrite any file on the system. Version 1.2.0 fixes the issue.

Exploits (1)

nomisec WORKING POC

by shreyas-malhotra · poc

https://github.com/shreyas-malhotra/CVE-2025-27410

View Code ZIP pw:eip

This PoC exploits a directory traversal vulnerability in PwnDoc's backup restore functionality (CVE-2025-27410) to achieve arbitrary file write and remote code execution. It crafts a malicious tar archive to overwrite a JavaScript module, injecting arbitrary code execution via child_process.execSync.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PwnDoc (version not specified)

Auth required

Prerequisites: Valid credentials with backups:create permission · Access to the PwnDoc API endpoint

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx

Patch x_refsource_misc

https://github.com/pwndoc/pwndoc/commit/98f284291d73d3a0b11d3181d845845c192d1080

View Patch ZIP pw:eip

Product x_refsource_misc

https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L527

Release Notes x_refsource_misc

https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0

Scores

CVSS v3 6.5

EPSS 0.0182

EPSS Percentile 75.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-22 CWE-23

Status published

Products (1)

pwndoc_project/pwndoc < 1.2.0

Published Feb 28, 2025

Tracked Since Feb 18, 2026