CVE-2025-24891 CRITICAL

CVE-2025-24891: Dumb Drop has an arbitrary file overwrite and path traversal for root shell

Vendor Dumbwareio
Product DumbDrop
Weakness CWE-22 · Path traversal
Published January 31, 2025
Last update February 12, 2025

CVSS base score

9.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as root by default, there is no limit to what can be overwritten. With this, it's possible to inject malicious payloads into files ran on schedule or upon certain service actions. As the service is not required to run with authentication enabled, this may permit wholly unprivileged users root access. Otherwise, anybody with a PIN.

Key dates

02Disclosure timeline

January 31, 2025 CVE published
February 12, 2025 Record updated