Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-27092

CVE-2025-27092: Cmu Ghosts Path Traversal Vulnerability

CVE-2025-27092 is a path traversal vulnerability in Cmu Ghosts that allows attackers to access arbitrary files outside intended directories. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-27092 Overview

CVE-2025-27092 is a path traversal vulnerability discovered in GHOSTS, an open source user simulation framework developed by Carnegie Mellon University (CMU) for cyber experimentation, simulation, training, and exercise. The vulnerability exists in version 8.0.0.0 and allows an attacker to access files outside of the intended directory through the photo retrieval endpoint, potentially exposing sensitive system files including configuration files and credentials.

Critical Impact

This path traversal vulnerability allows attackers to read arbitrary files from the server's filesystem with the permissions of the web application process, potentially exposing sensitive configuration files, credentials, and other critical data.

Affected Products

  • GHOSTS version 8.0.0.0 (all versions prior to 8.2.7.90)
  • CMU GHOSTS user simulation framework deployments
  • Systems running the vulnerable /api/npcs/{id}/photo endpoint

Discovery Timeline

  • February 19, 2025 - CVE-2025-27092 published to NVD
  • February 27, 2025 - Last updated in NVD database

Technical Details for CVE-2025-27092

Vulnerability Analysis

The vulnerability resides in the /api/npcs/{id}/photo endpoint, which is designed to serve profile photos for NPCs (Non-Player Characters) within the GHOSTS simulation framework. The endpoint fails to properly validate and sanitize file paths provided through the photoLink parameter when creating or modifying NPC records.

When an NPC is created with a specially crafted photoLink value containing path traversal sequences (../, ..\, etc.), the application processes these sequences without proper sanitization. This allows an attacker to traverse directory structures and access files outside of the intended photo directory. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal or Directory Traversal.

Root Cause

The root cause of this vulnerability is improper input validation in the photo retrieval functionality. The application directly uses user-supplied path values without verifying that the resolved path remains within the intended application scope. The lack of path canonicalization and boundary checking enables attackers to escape the designated photo directory.

Attack Vector

This vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can exploit this flaw by:

  1. Creating an NPC record with a malicious photoLink value containing path traversal sequences
  2. Requesting the photo endpoint for that NPC
  3. The server processes the path traversal sequences and returns files from arbitrary locations on the filesystem

The attack could be used to exfiltrate sensitive files such as /etc/passwd, application configuration files containing database credentials, or any other file readable by the web application process.

csharp
// Security patch implementing path validation
// Source: https://github.com/cmu-sei/GHOSTS/commit/e69827556a52ff813de00e1017c4b62598d2c887

+// Copyright 2017 Carnegie Mellon University. All Rights Reserved. See LICENSE.md file for terms.
+
+using System;
+using System.IO;
+
+namespace ghosts.api.Infrastructure.Extensions;
+
+public static class DirectoryExtensions
+{
+    public static bool IsPathWithinAppScope(this string targetPath, string root)
+    {
+        try
+        {
+            var fullRootPath = Path.GetFullPath(root).TrimEnd(Path.DirectorySeparatorChar) + Path.DirectorySeparatorChar;
+            var fullTargetPath = Path.GetFullPath(Path.Combine(fullRootPath, targetPath));
+
+            return fullTargetPath.StartsWith(fullRootPath, StringComparison.OrdinalIgnoreCase);
+        }
+        catch
+        {
+            return false;
+        }
+    }
+}

Source: GitHub GHOSTS Commit Update

The patch introduces the IsPathWithinAppScope extension method that properly validates whether a target path remains within the allowed root directory by comparing canonicalized paths.

Detection Methods for CVE-2025-27092

Indicators of Compromise

  • Unusual requests to /api/npcs/{id}/photo endpoints containing ../ or ..\ sequences
  • NPC records with photoLink values containing path traversal patterns
  • Web server logs showing attempts to access system files like /etc/passwd or Windows configuration files
  • Application errors or exceptions related to file access outside the photo directory

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block path traversal sequences in requests
  • Monitor API access logs for patterns matching directory traversal attempts (../, ..\, %2e%2e%2f, %2e%2e/)
  • Enable detailed logging on the GHOSTS API endpoints to capture suspicious file access attempts
  • Deploy intrusion detection systems (IDS) with signatures for path traversal attacks

Monitoring Recommendations

  • Set up alerts for any requests to the /api/npcs/*/photo endpoint containing encoded or literal path traversal sequences
  • Monitor file system access patterns from the GHOSTS web application process for reads outside expected directories
  • Review NPC creation and modification requests for suspicious photoLink values
  • Implement anomaly detection for unusual file access patterns from the web server process

How to Mitigate CVE-2025-27092

Immediate Actions Required

  • Upgrade GHOSTS to version 8.2.7.90 or later immediately
  • Audit existing NPC records for any entries containing path traversal sequences in the photoLink field
  • Review application logs for evidence of exploitation attempts
  • Consider restricting network access to the GHOSTS API while patching

Patch Information

CMU has addressed this vulnerability in GHOSTS version 8.2.7.90. The fix implements proper path validation using the IsPathWithinAppScope method that canonicalizes both the root directory and target path, then verifies the target path starts with the root directory. This prevents attackers from escaping the intended photo directory regardless of the traversal technique used.

For detailed patch information, see the GitHub Security Advisory GHSA-qr67-m6w9-wj3j.

Workarounds

  • There are no known workarounds for this vulnerability; upgrading is the only remediation option
  • As a temporary measure, restrict network access to the GHOSTS API to trusted IP addresses only
  • Implement a reverse proxy with WAF rules to filter requests containing path traversal patterns
  • Consider disabling the photo retrieval functionality if not critical to operations until patching is complete
bash
# Upgrade GHOSTS to patched version
# Clone the latest version from GitHub
git clone https://github.com/cmu-sei/GHOSTS.git
cd GHOSTS
git checkout v8.2.7.90

# Rebuild and redeploy the application following CMU documentation
# Verify the patch by checking for DirectoryExtensions.cs
ls -la src/Ghosts.Api/Infrastructure/Extensions/DirectoryExtensions.cs

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.