Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-24372

CVE-2025-24372: CKAN Privilege Escalation Vulnerability

CVE-2025-24372 is a privilege escalation vulnerability in CKAN that allows authenticated users to upload malicious files that can execute code when opened by administrators. This article covers technical details, affected versions, and mitigation strategies.

Published:

CVE-2025-24372 Overview

CKAN is an open-source data management system (DMS) used to power data hubs and data portals worldwide. CVE-2025-24372 affects CKAN versions prior to 2.10.7 and 2.11.2, where a registered user can upload a specially crafted file containing executable code. When an administrator opens the malicious file, the embedded code executes in the administrator's browser context and sends arbitrary requests to the server. This behavior, classified as Cross-Site Scripting [CWE-79], can lead to privilege escalation or other malicious actions performed under the administrator's authority. Exploitation requires user registration on the target site and administrator interaction with the uploaded content.

Critical Impact

An authenticated low-privilege user can escalate to administrator-level privileges when an admin opens a malicious uploaded file, enabling unauthorized actions against the CKAN deployment.

Affected Products

  • CKAN versions prior to 2.10.7
  • CKAN 2.11.x versions prior to 2.11.2
  • CKAN deployments allowing user or group file uploads without MIME type restrictions

Discovery Timeline

  • 2025-02-05 - CVE-2025-24372 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-24372

Vulnerability Analysis

The vulnerability stems from insufficient validation of file uploads in CKAN. CKAN accepts user-supplied files for users and groups without strictly restricting the file content or rendered MIME types. An authenticated attacker uploads a file containing script content. When an administrator subsequently opens the file through the CKAN interface, the browser renders the embedded code in the application's origin.

The executed script can issue authenticated requests using the administrator's session. Because CKAN trusts the requests originating from the administrator account, the script can perform any action available to that role, including modifying privileges or altering site configuration. The attacker only needs site registration, which lowers the barrier for exploitation in public-facing CKAN instances that allow open signup.

Root Cause

The root cause is improper neutralization of input during web page generation [CWE-79]. CKAN did not adequately constrain the MIME types and file types allowed in user and group upload endpoints, permitting active content such as HTML or SVG containing JavaScript to be served back to viewers. Browser rendering of these files in CKAN's origin enables script execution against authenticated sessions.

Attack Vector

The attack vector is network-based and requires low privileges plus user interaction. An attacker registers an account, uploads a crafted file with active content, and waits for an administrator to view it. Once opened, the payload performs server actions on behalf of the administrator, such as creating new admin accounts or modifying datasets.

No verified public proof-of-concept code is available for this issue. Technical details are documented in the GitHub Security Advisory GHSA-7pq5-qcp6-mcww and the fix commit CKAN Commit 7da6a26.

Detection Methods for CVE-2025-24372

Indicators of Compromise

  • Uploaded files in user or group storage with MIME types such as text/html, image/svg+xml, or other types capable of carrying active script content
  • Unexpected administrative actions originating from administrator sessions shortly after viewing user-uploaded content
  • Creation of new user accounts with elevated roles or modifications to API tokens not initiated by the administrator
  • Outbound HTTP requests from the CKAN web application to attacker-controlled hosts following file access events

Detection Strategies

  • Inspect CKAN upload directories for files whose extensions or contents do not match the expected dataset, image, or document types
  • Review CKAN access logs for sequences where an administrator request to an uploaded file URL is immediately followed by privileged API calls
  • Audit user, group, and organization role changes against the corresponding administrator activity timeline
  • Scan stored uploads for embedded <script>, <svg onload>, or javascript: patterns indicative of XSS payloads

Monitoring Recommendations

  • Enable verbose logging on CKAN file upload endpoints and centralize logs for correlation
  • Alert on file uploads whose detected MIME type differs from the declared extension
  • Monitor administrator session activity for high-frequency configuration or permission changes
  • Track new user registrations followed by upload activity within a short interval as a potential precursor to exploitation

How to Mitigate CVE-2025-24372

Immediate Actions Required

  • Upgrade CKAN deployments to version 2.10.7 or 2.11.2, whichever aligns with the current major version
  • Restrict allowed upload MIME types and file types using the ckan.upload.user.mimetypes, ckan.upload.user.types, ckan.upload.group.mimetypes, and ckan.upload.group.types configuration options
  • Review existing uploaded files for malicious content and remove any suspicious items prior to administrator access
  • Audit administrator accounts and recently changed permissions for signs of unauthorized escalation

Patch Information

The vulnerability is fixed in CKAN 2.10.7 and CKAN 2.11.2. The remediation is implemented in CKAN Commit 7da6a26. Operators should upgrade to a fixed release and verify that the upload configuration restricts active content types. Refer to the GitHub Security Advisory GHSA-7pq5-qcp6-mcww for vendor guidance.

Workarounds

  • Limit allowed file types by setting ckan.upload.user.types and ckan.upload.group.types to a narrow list of safe types such as image or document formats
  • Disable file uploads entirely by setting ckan.upload.user.types = none until the patch can be applied
  • Configure the web server or reverse proxy to serve user-uploaded files with Content-Disposition: attachment and a restrictive Content-Security-Policy to prevent script execution
  • Reference the CKAN Configuration for User Upload Types and CKAN Configuration for Group Types for full option documentation
bash
# Configuration example - restrict CKAN uploads in production.ini
ckan.upload.user.mimetypes = image/jpeg image/png
ckan.upload.user.types = image
ckan.upload.group.mimetypes = image/jpeg image/png
ckan.upload.group.types = image

# Or disable user uploads entirely until patched
# ckan.upload.user.types = none

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.