CVE-2025-24891 — CRITICAL (9.6)

Vulnerability Description

Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as root by default, there is no limit to what can be overwritten. With this, it's possible to inject malicious payloads into files ran on schedule or upon certain service actions. As the service is not required to run with authentication enabled, this may permit wholly unprivileged users root access. Otherwise, anybody with a PIN.

CVSS Score

9.6

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Related Weaknesses (CWE)

CWE-22 CWE-276

References

FAQ

What is CVE-2025-24891?

CVE-2025-24891 is a vulnerability with a CVSS score of 9.6 (CRITICAL). Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as ...

How severe is CVE-2025-24891?

CVE-2025-24891 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-24891?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.