CVE-2025-25284 Overview
CVE-2025-25284 is a path traversal vulnerability in the ZOO-Project, an open source processing platform released under the MIT/X11 license. The flaw resides in the Web Processing Service (WPS) implementation, specifically the Gdal_Translate service. The service fails to validate file paths referenced in the VRTRasterBand element of Virtual Format (VRT) files. An unauthenticated remote attacker can submit a crafted VRT file that uses relative path traversal sequences in the SourceFilename parameter to read arbitrary files. The contents are returned as TIFF output, exposing configuration files, credentials, and other sensitive system data [CWE-22].
Critical Impact
Unauthenticated attackers can read arbitrary files from the host file system via the WPS service, including configuration files and credentials.
Affected Products
- ZOO-Project open source WPS platform
- Gdal_Translate service component handling VRT input files
- Deployments using GDAL-based services without validateVRT enforcement
Discovery Timeline
- 2025-02-18 - CVE-2025-25284 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-25284
Vulnerability Analysis
The vulnerability stems from missing input sanitization in the Gdal_Translate WPS service. When a client submits a VRT file as input, the service passes the SourceFilename value inside VRTRasterBand directly to GDAL without verifying that the referenced path stays within the intended working directory. VRT supports raw data handling, which lets GDAL read any file as binary input and convert it into a TIFF image. The conversion preserves byte contents, so the attacker recovers the original file by parsing the returned TIFF raster data.
Root Cause
The Gdal_Translate service did not validate paths embedded in VRT documents. Two missing controls enabled exploitation: there was no validateVRT check restricting allowed source paths, and no isAllowedPath function constraining file:// URLs to a defined allow list. Combined, these omissions allow ../ traversal sequences to escape the service's working directory.
Attack Vector
The attack is performed remotely against the WPS endpoint with no authentication and no user interaction. An attacker crafts a VRT XML document referencing a target system file via a traversal path, submits it to the Gdal_Translate process, and retrieves the file contents in the converted TIFF response.
# Patch excerpt - zoo-project/HISTORY.txt (commit 5f155a8)
* Update GDAL based services to use the validateVRT for VRT used as
input file to ensure only the allowed paths are accessible.
* Add an isAllowedPath function to ensure the URL using file:// give
access only to the defined allowed paths, defined in the allowedPaths key
from the main section.
Source: ZOO-Project commit 5f155a8
Detection Methods for CVE-2025-25284
Indicators of Compromise
- WPS execute requests to the Gdal_Translate identifier containing inline VRT XML payloads
- VRT SourceFilename elements containing ../ traversal sequences or file:// URIs pointing outside the service work directory
- Outbound TIFF responses generated from requests that referenced system paths such as /etc/passwd, /etc/shadow, or application configuration files
- Unexpected GDAL process reads against sensitive paths outside the configured data directory
Detection Strategies
- Inspect HTTP request bodies to the WPS endpoint for VRT XML structures and flag any SourceFilename containing traversal characters or absolute system paths
- Monitor file access by the zoofpm worker process for reads outside its designated input directory
- Correlate WPS job submissions with file open events on sensitive paths using endpoint telemetry
Monitoring Recommendations
- Enable verbose logging for the ZOO-Project zoofpm workers and capture the full request payload for Gdal_Translate invocations
- Alert on TIFF outputs whose byte size or entropy patterns differ significantly from expected raster outputs
- Track repeated WPS calls from a single source attempting variations of path traversal sequences
How to Mitigate CVE-2025-25284
Immediate Actions Required
- Upgrade ZOO-Project to a version containing commit 5f155a8 or later, which adds validateVRT and isAllowedPath enforcement
- Define an explicit allowedPaths entry in the main configuration section to restrict where file:// URIs may resolve
- Restrict network exposure of the WPS endpoint to authenticated or internal consumers until the patch is applied
Patch Information
The issue is addressed in commit 5f155a8 of the ZOO-Project repository. The fix introduces a validateVRT routine for all GDAL-based services that consume VRT input and adds an isAllowedPath function to constrain file:// URL resolution. Full details are in the GitHub Security Advisory GHSA-8c27-wmvv-3p38.
Workarounds
- No vendor-supplied workaround exists; upgrading is required
- As a compensating control, run the zoofpm worker under a least-privileged user account with read access limited to required data directories
- Place the WPS service behind a reverse proxy that inspects and rejects VRT payloads containing ../ sequences or file:// schemes
# Example: pull and rebuild with the patched commit
git clone https://github.com/ZOO-Project/ZOO-Project.git
cd ZOO-Project
git checkout 5f155a8
# Ensure the main configuration defines allowedPaths
# [main]
# allowedPaths=/var/data/zoo/inputs,/var/data/zoo/shared
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
