CVE-2025-66022 Overview
CVE-2025-66022 is a critical authentication bypass vulnerability in FACTION, an OWASP PenTesting Report Generation and Collaboration Framework. The vulnerability exists in the extension framework's lifecycle hook execution path, which permits untrusted extension code to execute arbitrary system commands on the server. Combined with a missing authentication check on the /portal/AppStoreDashboard endpoint, an unauthenticated attacker can upload malicious extensions and achieve remote code execution (RCE) on the host running FACTION.
Critical Impact
Unauthenticated attackers can upload malicious extensions and execute arbitrary system commands on servers running FACTION versions prior to 1.7.1, resulting in complete system compromise.
Affected Products
- OWASP FACTION versions prior to 1.7.1
- FACTION PenTesting Report Generation Framework (all installations with App Store functionality)
- Self-hosted FACTION deployments with exposed web interfaces
Discovery Timeline
- 2025-11-26 - CVE-2025-66022 published to NVD
- 2026-01-02 - Last updated in NVD database
Technical Details for CVE-2025-66022
Vulnerability Analysis
This vulnerability combines two critical security flaws: an authentication bypass (CWE-287) and missing authorization (CWE-862). The core issue lies in the authorization logic within the AppStoreController.java and InstallExtensionController.java files. The original code used a flawed boolean logic condition that allowed access when the App Store was disabled, regardless of the user's admin status.
When the App Store feature is disabled (isAppStoreEnabled() returns false), the original condition if(this.isAppStoreEnabled() && !this.isAcadmin()) evaluates to false, which incorrectly permits access to the extension management interface. This means any unauthenticated user could access the App Store dashboard and upload arbitrary extensions when the App Store was disabled—a condition many administrators might consider "safe."
Once a malicious extension is uploaded, FACTION's extension framework executes the extension code during lifecycle hook invocation. This execution occurs with server-level privileges, allowing attackers to run arbitrary system commands and achieve full remote code execution on the FACTION host.
Root Cause
The root cause is a logical error in the authorization check within FACTION's extension management controllers. The original condition used && (AND) logic when it should have used || (OR) logic. This meant that both conditions had to be true for access to be denied, rather than denying access if either condition failed. When the App Store was disabled, the first part of the condition (isAppStoreEnabled()) returned false, causing the entire authorization check to short-circuit and incorrectly allow access.
Attack Vector
The attack vector is network-based and requires no authentication, privileges, or user interaction. An attacker can:
- Access the /portal/AppStoreDashboard endpoint directly (especially when App Store is disabled)
- Upload a malicious extension containing arbitrary code
- Trigger the extension's lifecycle hook to execute system commands
- Achieve remote code execution with server-level privileges
The patched code corrects the logic to properly deny access:
@Before(priority=1)
public String authorization() {
// Original flawed logic (vulnerable):
// if(this.isAppStoreEnabled() && !this.isAcadmin()) {
// Fixed logic - deny access if AppStore is disabled OR user is not admin:
if(!this.isAppStoreEnabled() || !this.isAcadmin()) {
AuditLog.notAuthorized( this,
"Invalid Access to App Store", true);
return LOGIN;
Source: GitHub Commit c6389f1c76175b7c1c68d1a87b389311b16c62c3
Detection Methods for CVE-2025-66022
Indicators of Compromise
- Unauthorized access attempts to /portal/AppStoreDashboard or extension management endpoints
- Unexpected extension installations or modifications in the FACTION extensions directory
- Unusual process spawning from the FACTION server process
- Web server logs showing unauthenticated requests to App Store-related endpoints
Detection Strategies
- Monitor HTTP access logs for requests to /portal/AppStoreDashboard from unauthenticated sessions
- Implement file integrity monitoring on FACTION extension directories to detect unauthorized uploads
- Deploy network intrusion detection rules for suspicious POST requests to extension upload endpoints
- Review FACTION audit logs for "Invalid Access to App Store" entries which may indicate exploitation attempts
Monitoring Recommendations
- Enable detailed logging for all authentication and authorization events in FACTION
- Set up alerts for new extension installations, especially from unrecognized sources
- Monitor server process activity for unusual command execution patterns originating from the FACTION application
- Implement web application firewall (WAF) rules to restrict access to administrative endpoints
How to Mitigate CVE-2025-66022
Immediate Actions Required
- Upgrade FACTION to version 1.7.1 or later immediately
- Restrict network access to FACTION instances using firewall rules until patched
- Review installed extensions for any unauthorized or suspicious entries
- Audit server logs for signs of prior exploitation attempts
Patch Information
OWASP has released FACTION version 1.7.1 which addresses this vulnerability by correcting the authorization logic in both AppStoreController.java and InstallExtensionController.java. The fix changes the boolean logic from && to ||, ensuring that access is denied when either the App Store is disabled OR the user lacks administrator privileges. The security patch is available via the GitHub Security Advisory GHSA-xr72-2g43-586w and the specific commit can be reviewed at GitHub Commit c6389f1c76175b7c1c68d1a87b389311b16c62c3.
Workarounds
- Implement network-level access controls to restrict access to the FACTION web interface to trusted IP addresses only
- Place FACTION behind a reverse proxy with additional authentication requirements
- Disable or block access to the /portal/AppStoreDashboard endpoint at the web server or WAF level
- Monitor and audit all extension-related activity until the patch can be applied
# Example: Block access to vulnerable endpoint using nginx
location /portal/AppStoreDashboard {
deny all;
return 403;
}
# Example: Restrict FACTION access to internal networks using iptables
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
