CVE-2025-24372 Overview
CKAN is an open-source data management system (DMS) used to power data hubs and data portals worldwide. CVE-2025-24372 affects CKAN versions prior to 2.10.7 and 2.11.2, where a registered user can upload a specially crafted file containing executable code. When an administrator opens the malicious file, the embedded code executes in the administrator's browser context and sends arbitrary requests to the server. This behavior, classified as Cross-Site Scripting [CWE-79], can lead to privilege escalation or other malicious actions performed under the administrator's authority. Exploitation requires user registration on the target site and administrator interaction with the uploaded content.
Critical Impact
An authenticated low-privilege user can escalate to administrator-level privileges when an admin opens a malicious uploaded file, enabling unauthorized actions against the CKAN deployment.
Affected Products
- CKAN versions prior to 2.10.7
- CKAN 2.11.x versions prior to 2.11.2
- CKAN deployments allowing user or group file uploads without MIME type restrictions
Discovery Timeline
- 2025-02-05 - CVE-2025-24372 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-24372
Vulnerability Analysis
The vulnerability stems from insufficient validation of file uploads in CKAN. CKAN accepts user-supplied files for users and groups without strictly restricting the file content or rendered MIME types. An authenticated attacker uploads a file containing script content. When an administrator subsequently opens the file through the CKAN interface, the browser renders the embedded code in the application's origin.
The executed script can issue authenticated requests using the administrator's session. Because CKAN trusts the requests originating from the administrator account, the script can perform any action available to that role, including modifying privileges or altering site configuration. The attacker only needs site registration, which lowers the barrier for exploitation in public-facing CKAN instances that allow open signup.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. CKAN did not adequately constrain the MIME types and file types allowed in user and group upload endpoints, permitting active content such as HTML or SVG containing JavaScript to be served back to viewers. Browser rendering of these files in CKAN's origin enables script execution against authenticated sessions.
Attack Vector
The attack vector is network-based and requires low privileges plus user interaction. An attacker registers an account, uploads a crafted file with active content, and waits for an administrator to view it. Once opened, the payload performs server actions on behalf of the administrator, such as creating new admin accounts or modifying datasets.
No verified public proof-of-concept code is available for this issue. Technical details are documented in the GitHub Security Advisory GHSA-7pq5-qcp6-mcww and the fix commit CKAN Commit 7da6a26.
Detection Methods for CVE-2025-24372
Indicators of Compromise
- Uploaded files in user or group storage with MIME types such as text/html, image/svg+xml, or other types capable of carrying active script content
- Unexpected administrative actions originating from administrator sessions shortly after viewing user-uploaded content
- Creation of new user accounts with elevated roles or modifications to API tokens not initiated by the administrator
- Outbound HTTP requests from the CKAN web application to attacker-controlled hosts following file access events
Detection Strategies
- Inspect CKAN upload directories for files whose extensions or contents do not match the expected dataset, image, or document types
- Review CKAN access logs for sequences where an administrator request to an uploaded file URL is immediately followed by privileged API calls
- Audit user, group, and organization role changes against the corresponding administrator activity timeline
- Scan stored uploads for embedded <script>, <svg onload>, or javascript: patterns indicative of XSS payloads
Monitoring Recommendations
- Enable verbose logging on CKAN file upload endpoints and centralize logs for correlation
- Alert on file uploads whose detected MIME type differs from the declared extension
- Monitor administrator session activity for high-frequency configuration or permission changes
- Track new user registrations followed by upload activity within a short interval as a potential precursor to exploitation
How to Mitigate CVE-2025-24372
Immediate Actions Required
- Upgrade CKAN deployments to version 2.10.7 or 2.11.2, whichever aligns with the current major version
- Restrict allowed upload MIME types and file types using the ckan.upload.user.mimetypes, ckan.upload.user.types, ckan.upload.group.mimetypes, and ckan.upload.group.types configuration options
- Review existing uploaded files for malicious content and remove any suspicious items prior to administrator access
- Audit administrator accounts and recently changed permissions for signs of unauthorized escalation
Patch Information
The vulnerability is fixed in CKAN 2.10.7 and CKAN 2.11.2. The remediation is implemented in CKAN Commit 7da6a26. Operators should upgrade to a fixed release and verify that the upload configuration restricts active content types. Refer to the GitHub Security Advisory GHSA-7pq5-qcp6-mcww for vendor guidance.
Workarounds
- Limit allowed file types by setting ckan.upload.user.types and ckan.upload.group.types to a narrow list of safe types such as image or document formats
- Disable file uploads entirely by setting ckan.upload.user.types = none until the patch can be applied
- Configure the web server or reverse proxy to serve user-uploaded files with Content-Disposition: attachment and a restrictive Content-Security-Policy to prevent script execution
- Reference the CKAN Configuration for User Upload Types and CKAN Configuration for Group Types for full option documentation
# Configuration example - restrict CKAN uploads in production.ini
ckan.upload.user.mimetypes = image/jpeg image/png
ckan.upload.user.types = image
ckan.upload.group.mimetypes = image/jpeg image/png
ckan.upload.group.types = image
# Or disable user uploads entirely until patched
# ckan.upload.user.types = none
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

