CVE-2025-27092 Overview
CVE-2025-27092 is a path traversal vulnerability discovered in GHOSTS, an open source user simulation framework developed by Carnegie Mellon University (CMU) for cyber experimentation, simulation, training, and exercise. The vulnerability exists in version 8.0.0.0 and allows an attacker to access files outside of the intended directory through the photo retrieval endpoint, potentially exposing sensitive system files including configuration files and credentials.
Critical Impact
This path traversal vulnerability allows attackers to read arbitrary files from the server's filesystem with the permissions of the web application process, potentially exposing sensitive configuration files, credentials, and other critical data.
Affected Products
- GHOSTS version 8.0.0.0 (all versions prior to 8.2.7.90)
- CMU GHOSTS user simulation framework deployments
- Systems running the vulnerable /api/npcs/{id}/photo endpoint
Discovery Timeline
- February 19, 2025 - CVE-2025-27092 published to NVD
- February 27, 2025 - Last updated in NVD database
Technical Details for CVE-2025-27092
Vulnerability Analysis
The vulnerability resides in the /api/npcs/{id}/photo endpoint, which is designed to serve profile photos for NPCs (Non-Player Characters) within the GHOSTS simulation framework. The endpoint fails to properly validate and sanitize file paths provided through the photoLink parameter when creating or modifying NPC records.
When an NPC is created with a specially crafted photoLink value containing path traversal sequences (../, ..\, etc.), the application processes these sequences without proper sanitization. This allows an attacker to traverse directory structures and access files outside of the intended photo directory. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal or Directory Traversal.
Root Cause
The root cause of this vulnerability is improper input validation in the photo retrieval functionality. The application directly uses user-supplied path values without verifying that the resolved path remains within the intended application scope. The lack of path canonicalization and boundary checking enables attackers to escape the designated photo directory.
Attack Vector
This vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can exploit this flaw by:
- Creating an NPC record with a malicious photoLink value containing path traversal sequences
- Requesting the photo endpoint for that NPC
- The server processes the path traversal sequences and returns files from arbitrary locations on the filesystem
The attack could be used to exfiltrate sensitive files such as /etc/passwd, application configuration files containing database credentials, or any other file readable by the web application process.
// Security patch implementing path validation
// Source: https://github.com/cmu-sei/GHOSTS/commit/e69827556a52ff813de00e1017c4b62598d2c887
+// Copyright 2017 Carnegie Mellon University. All Rights Reserved. See LICENSE.md file for terms.
+
+using System;
+using System.IO;
+
+namespace ghosts.api.Infrastructure.Extensions;
+
+public static class DirectoryExtensions
+{
+ public static bool IsPathWithinAppScope(this string targetPath, string root)
+ {
+ try
+ {
+ var fullRootPath = Path.GetFullPath(root).TrimEnd(Path.DirectorySeparatorChar) + Path.DirectorySeparatorChar;
+ var fullTargetPath = Path.GetFullPath(Path.Combine(fullRootPath, targetPath));
+
+ return fullTargetPath.StartsWith(fullRootPath, StringComparison.OrdinalIgnoreCase);
+ }
+ catch
+ {
+ return false;
+ }
+ }
+}
Source: GitHub GHOSTS Commit Update
The patch introduces the IsPathWithinAppScope extension method that properly validates whether a target path remains within the allowed root directory by comparing canonicalized paths.
Detection Methods for CVE-2025-27092
Indicators of Compromise
- Unusual requests to /api/npcs/{id}/photo endpoints containing ../ or ..\ sequences
- NPC records with photoLink values containing path traversal patterns
- Web server logs showing attempts to access system files like /etc/passwd or Windows configuration files
- Application errors or exceptions related to file access outside the photo directory
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal sequences in requests
- Monitor API access logs for patterns matching directory traversal attempts (../, ..\, %2e%2e%2f, %2e%2e/)
- Enable detailed logging on the GHOSTS API endpoints to capture suspicious file access attempts
- Deploy intrusion detection systems (IDS) with signatures for path traversal attacks
Monitoring Recommendations
- Set up alerts for any requests to the /api/npcs/*/photo endpoint containing encoded or literal path traversal sequences
- Monitor file system access patterns from the GHOSTS web application process for reads outside expected directories
- Review NPC creation and modification requests for suspicious photoLink values
- Implement anomaly detection for unusual file access patterns from the web server process
How to Mitigate CVE-2025-27092
Immediate Actions Required
- Upgrade GHOSTS to version 8.2.7.90 or later immediately
- Audit existing NPC records for any entries containing path traversal sequences in the photoLink field
- Review application logs for evidence of exploitation attempts
- Consider restricting network access to the GHOSTS API while patching
Patch Information
CMU has addressed this vulnerability in GHOSTS version 8.2.7.90. The fix implements proper path validation using the IsPathWithinAppScope method that canonicalizes both the root directory and target path, then verifies the target path starts with the root directory. This prevents attackers from escaping the intended photo directory regardless of the traversal technique used.
For detailed patch information, see the GitHub Security Advisory GHSA-qr67-m6w9-wj3j.
Workarounds
- There are no known workarounds for this vulnerability; upgrading is the only remediation option
- As a temporary measure, restrict network access to the GHOSTS API to trusted IP addresses only
- Implement a reverse proxy with WAF rules to filter requests containing path traversal patterns
- Consider disabling the photo retrieval functionality if not critical to operations until patching is complete
# Upgrade GHOSTS to patched version
# Clone the latest version from GitHub
git clone https://github.com/cmu-sei/GHOSTS.git
cd GHOSTS
git checkout v8.2.7.90
# Rebuild and redeploy the application following CMU documentation
# Verify the patch by checking for DirectoryExtensions.cs
ls -la src/Ghosts.Api/Infrastructure/Extensions/DirectoryExtensions.cs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
