CVE-2025-53632

CRITICAL

ctfer-io chall-manager < 0.1.4 - Unauthenticated Path Traversal via Zip Slip

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-53632. PoCs published by pandatix.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-53632, targeting Chall-Manager versions < v0.1.4. The exploit leverages a path traversal vulnerability to replace the Pulumi binary with a malicious script, achieving remote code execution (RCE) during scenario validation.

Description

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the path of the file to write is not checked, potentially leading to zip slips. Exploitation does not require authentication nor authorization, so anyone can exploit it. It should nonetheless not be exploitable as it is highly recommended to bury Chall-Manager deep within the infrastructure due to its large capabilities, so no users could reach the system. Patch has been implemented by commit 47d188f and shipped in v0.1.4.

Exploits (1)

nomisec WORKING POC

by pandatix · poc

https://github.com/pandatix/CVE-2025-53632

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-53632, targeting Chall-Manager versions < v0.1.4. The exploit leverages a path traversal vulnerability to replace the Pulumi binary with a malicious script, achieving remote code execution (RCE) during scenario validation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Chall-Manager < v0.1.4

No auth needed

Prerequisites: Docker for running Chall-Manager · Go for compiling the exploit · Network access to the target Chall-Manager instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/ctfer-io/chall-manager/security/advisories/GHSA-3gv2-v3jx-r9fh

Patch x_refsource_misc

https://github.com/ctfer-io/chall-manager/commit/47d188fda5e3f86285e820f12ad9fb6f9930662c

View Patch ZIP pw:eip

Release Notes x_refsource_misc

https://github.com/ctfer-io/chall-manager/releases/tag/v0.1.4

Scores

CVSS v3 9.1

EPSS 0.0019

EPSS Percentile 41.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

ctfer-io/chall-manager < 0.1.4

ctfer-io/chall-manager 0 - 0.1.4Go

Published Jul 10, 2025

Tracked Since Feb 18, 2026