Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64714

CVE-2025-64714: PrivateBin Path Traversal Vulnerability

CVE-2025-64714 is a path traversal flaw in PrivateBin that enables unauthenticated local file inclusion when templateselection is enabled. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2025-64714 Overview

PrivateBin is a zero-knowledge online pastebin where the server cannot read stored data. Starting in version 1.7.7 and prior to version 2.0.3, an unauthenticated Local File Inclusion (LFI) vulnerability exists in the template-switching feature. When templateselection is enabled in the configuration, the server trusts the client-supplied template cookie and includes the referenced PHP file. An attacker can read sensitive data or achieve remote code execution if they can drop a PHP file elsewhere on the server. The issue is tracked as [CWE-23: Relative Path Traversal] and is patched in version 2.0.3.

Critical Impact

An unauthenticated remote attacker can manipulate the template cookie to include arbitrary PHP files on disk, potentially leading to information disclosure or code execution if a writable PHP file is reachable.

Affected Products

  • PrivateBin versions 1.7.7 through 2.0.2
  • Instances with templateselection = true set in cfg/conf.php
  • Deployments where attacker-controlled PHP files may exist on the filesystem

Discovery Timeline

  • 2025-11-13 - CVE CVE-2025-64714 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64714

Vulnerability Analysis

The flaw resides in PrivateBin's template selection logic. When templateselection is enabled, the TemplateSwitcher class reads the template value directly from the $_COOKIE superglobal and uses it to construct a path to a PHP template file. The application verifies file existence but does not restrict the value to a known allowlist before performing the include. An attacker sending a crafted cookie can reference any existing PHP file on the server. PrivateBin's own data files include a PHP header that prevents execution, so pasted content cannot be abused. However, stray configuration files or PHP scripts that execute actions without privilege checks may be reached through the include, leading to information disclosure or code execution.

Root Cause

The root cause is missing input validation on user-controllable data used in a file inclusion sink. The getTemplate() method returned the cookie-supplied template without ensuring it existed in the configured availabletemplates list. Because the cookie is not authenticated and the include is unconditional, this constitutes an unauthenticated LFI primitive.

Attack Vector

Exploitation requires only a single HTTP request against a vulnerable PrivateBin instance where templateselection is enabled. The attacker sets the template cookie to a relative path resolving to a PHP file present on the server. When the server processes the request, PHP includes and executes the referenced file. Chaining this with any writable path containing PHP content, such as an uploaded avatar handler or a misconfigured file, yields remote code execution.

php
// Patch excerpt from lib/Controller.php (v2.0.3)
$templates = $this->_conf->getKey('availabletemplates');
$template  = $this->_conf->getKey('template');
if (!in_array($template, $templates, true)) {
    $templates[] = $template;
}
TemplateSwitcher::setAvailableTemplates($templates);
TemplateSwitcher::setTemplateFallback($template);

// force default template, if template selection is disabled
if (!$this->_conf->getKey('templateselection') && array_key_exists('template', $_COOKIE)) {
    unset($_COOKIE['template']); // ensure value is not re-used in template switcher
    $expiredInAllTimezones = time() - 86400;
    setcookie('template', '', array('expires' => $expiredInAllTimezones, 'SameSite' => 'Lax', 'Secure' => true));
}

// Patch excerpt from lib/TemplateSwitcher.php (v2.0.3)
public static function getTemplate(): string
{
    if (array_key_exists('template', $_COOKIE)) {
        $template = basename($_COOKIE['template']);
        if (self::isTemplateAvailable($template)) {
            return $template;
        }
    }
    return self::$_templateFallback;
}

Source: PrivateBin patch commit 4434dbf. The fix applies basename() to strip path components from the cookie value and verifies the template against an allowlist before use.

Detection Methods for CVE-2025-64714

Indicators of Compromise

  • HTTP requests to PrivateBin endpoints carrying template cookies with path traversal sequences such as ../ or absolute paths
  • Web server logs showing PHP include errors referencing paths outside tpl/ or tpl/bootstrap/
  • Unexpected PHP execution errors mentioning files under cfg/, data/, or upload directories

Detection Strategies

  • Inspect access logs for the Cookie: template= header and flag values that are not in the configured availabletemplates list
  • Alert on PHP include/require warnings correlated with PrivateBin request paths
  • Baseline the PrivateBin version in use and flag any instance running 1.7.7 through 2.0.2 with templateselection enabled

Monitoring Recommendations

  • Forward web server and PHP error logs to a centralized analytics pipeline for anomaly detection on cookie-based inputs
  • Monitor filesystem writes to any directory reachable from the PrivateBin webroot for new .php files
  • Track outbound network activity from the PrivateBin host to detect post-exploitation callbacks

How to Mitigate CVE-2025-64714

Immediate Actions Required

  • Upgrade PrivateBin to version 2.0.3 or later
  • Set templateselection = false in cfg/conf.php or remove the directive entirely until the upgrade is complete
  • Audit the PrivateBin webroot and adjacent directories for unexpected PHP files
  • Rotate any secrets that may have been exposed through configuration file inclusion

Patch Information

The fix is delivered in PrivateBin 2.0.3 via commit 4434dbf. The patch applies basename() to the cookie value, validates the template against the configured allowlist, and clears the template cookie when template selection is disabled. Details are published in GitHub Security Advisory GHSA-g2j9-g8r5-rg82.

Workarounds

  • Disable the template switcher by setting templateselection = false in cfg/conf.php
  • Remove the templateselection option entirely to fall back to the secure default
  • Restrict access to the PrivateBin instance behind authentication or an IP allowlist until patched
bash
# Configuration example: disable template selection in cfg/conf.php
sed -i 's/^templateselection\s*=\s*true/templateselection = false/' /path/to/privatebin/cfg/conf.php

# Verify installed version
grep -R "VERSION" /path/to/privatebin/lib/Configuration.php

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.