Vulnerability Description
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Owasp | Faction | < 1.7.1 |
Related Weaknesses (CWE)
References
- https://github.com/factionsecurity/faction/commit/c6389f1c76175b7c1c68d1a87b3893Patch
- https://github.com/factionsecurity/faction/security/advisories/GHSA-xr72-2g43-58ExploitVendor Advisory
- https://github.com/factionsecurity/faction/security/advisories/GHSA-xr72-2g43-58ExploitVendor Advisory
FAQ
What is CVE-2025-66022?
CVE-2025-66022 is a vulnerability with a CVSS score of 9.6 (CRITICAL). FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute ...
How severe is CVE-2025-66022?
CVE-2025-66022 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-66022?
Check the references section above for vendor advisories and patch information. Affected products include: Owasp Faction.