CVE-2025-27519

CRITICAL

Cognita < a78bd065e05a1b30a53a3386cc02e08c317d2243 - Path Traversal and Remote Code Execution via Local Upload Endpoint

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-27519. PoCs published by Diabl0xE.

AI-analyzed exploit summary This PoC exploits a local privilege escalation vulnerability (CVE-2025-27519) in the 'below' logging utility by manipulating a world-writable log directory to overwrite /etc/passwd with a fake root user entry.

Description

Cognita is a RAG (Retrieval Augmented Generation) Framework for building modular, open source applications for production by TrueFoundry. A path traversal issue exists at /v1/internal/upload-to-local-directory which is enabled when the Local env variable is set to true, such as when Cognita is setup using Docker. Because the docker environment sets up the backend uvicorn server with auto reload enabled, when an attacker overwrites the /app/backend/__init__.py file, the file will automatically be reloaded and executed. This allows an attacker to get remote code execution in the context of the Docker container. This vulnerability is fixed in commit a78bd065e05a1b30a53a3386cc02e08c317d2243.

Exploits (1)

nomisec WORKING POC 2 stars

by Diabl0xE · poc

https://github.com/Diabl0xE/CVE-2025-27519

View Code ZIP pw:eip

This PoC exploits a local privilege escalation vulnerability (CVE-2025-27519) in the 'below' logging utility by manipulating a world-writable log directory to overwrite /etc/passwd with a fake root user entry.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: below logging utility (version not specified)

Auth required

Prerequisites: Local user access · World-writable /var/log/below/ directory · Presence of the 'below' binary

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources x_refsource_confirm

https://securitylab.github.com/advisories/GHSL-2024-193_GHSL-2024-194_Cognita/

Issue Tracking x_refsource_misc

https://github.com/truefoundry/cognita/pull/393

Patch x_refsource_misc

https://github.com/truefoundry/cognita/commit/a78bd065e05a1b30a53a3386cc02e08c317d2243

View Patch ZIP pw:eip

Scores

CVSS v4 9.3

EPSS 0.0127

EPSS Percentile 66.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (1)

truefoundry/cognita < a78bd065e05a1b30a53a3386cc02e08c317d2243

Published Mar 07, 2025

Tracked Since Feb 18, 2026