Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66384

CVE-2025-66384: MISP Path Traversal Vulnerability

CVE-2025-66384 is a path traversal vulnerability in MISP before version 2.5.24 caused by invalid file upload validation logic. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2025-66384 Overview

CVE-2025-66384 is a file upload validation flaw in MISP (Malware Information Sharing Platform) versions before 2.5.24. The vulnerability resides in app/Controller/EventsController.php, where invalid logic checks the validity of uploaded files via the tmp_name field. The flawed conditional allows the validation to be bypassed under specific circumstances, enabling authenticated high-privilege users to influence file handling outside intended constraints. The issue is tracked under CWE-684: Incorrect Provision of Specified Functionality.

Critical Impact

Improper boolean grouping in the file upload validation check allows attackers with high privileges to subvert the is_uploaded_file() safeguard in MISP, impacting integrity of threat intelligence data.

Affected Products

  • MISP (Malware Information Sharing Platform) versions prior to 2.5.24
  • app/Controller/EventsController.php file upload handling logic
  • MISP instances accepting module-based file uploads via event submissions

Discovery Timeline

  • 2025-11-28 - CVE-2025-66384 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-66384

Vulnerability Analysis

The vulnerability stems from incorrect operator precedence and logical grouping in a PHP conditional that validates uploaded files. In MISP versions before 2.5.24, the check combined $fileupload['error'], $fileupload['tmp_name'], and is_uploaded_file() using mixed && and || operators without adequate parentheses. As a result, the function is_uploaded_file() could be bypassed when the error code condition evaluated as true on its own, breaking the intended invariant that all three checks must pass simultaneously.

This class of defect is categorized under [CWE-684], where a function does not enforce the security constraint it is meant to provide. The downstream call to FileAccessTool::readAndDelete($fileupload['tmp_name']) then operates on attacker-influenced paths instead of a legitimate upload buffer.

Root Cause

The original code expression evaluated (A || (B && C)) instead of ((A) && (B) && (C)). The branch (isset($fileupload['error']) && $fileupload['error'] == 0) was sufficient on its own to enter the file-handling block, even when tmp_name did not reference a genuine HTTP upload. The is_uploaded_file() check, which is the core defense against forged tmp_name values, was effectively short-circuited.

Attack Vector

An authenticated user with permission to submit events and trigger module uploads can craft a request where the error field is set to 0 while tmp_name points to an arbitrary file path. Because the validation logic accepts that combination, MISP proceeds to read and delete the referenced file path through FileAccessTool::readAndDelete(). The integrity impact is high while confidentiality and availability impacts are lower, reflecting the file-deletion and content-read primitive the bug exposes.

php
                             $fail = __('Invalid file upload.');
                         } else {
                             $fileupload = $requestData['fileupload'];
-                            if ((isset($fileupload['error']) && $fileupload['error'] == 0) || (!empty($fileupload['tmp_name']) && $fileupload['tmp_name'] != 'none') && is_uploaded_file($fileupload['tmp_name'])) {
+                            if (
+                                (
+                                    !isset($fileupload['error']) || $fileupload['error'] == 0
+                                ) &&
+                                (
+                                    !empty($fileupload['tmp_name']) &&
+                                    $fileupload['tmp_name'] != 'none'
+                                ) && 
+                                is_uploaded_file($fileupload['tmp_name'])
+                            ) {
                                 $filename = basename($fileupload['name']);
                                 $modulePayload['data'] = FileAccessTool::readAndDelete($fileupload['tmp_name']);
                             } else {

Source: MISP commit 6867f0d3157a1959154bdad9ddac009dec6a19f5 — the patch restructures the conditional so all three validation clauses must hold before the upload is processed.

Detection Methods for CVE-2025-66384

Indicators of Compromise

  • Unexpected entries in MISP audit logs referencing module-based event uploads from high-privilege accounts.
  • Web server access logs showing POST requests to MISP event endpoints with anomalous fileupload multipart payloads.
  • Missing or unexpectedly deleted files on the MISP host that match paths referenced in recent application requests.

Detection Strategies

  • Monitor the running MISP version and flag any instance reporting a version earlier than 2.5.24.
  • Inspect EventsController request handlers for requests where fileupload[error] is 0 but tmp_name does not match the configured PHP upload temp directory.
  • Correlate file deletion events on the MISP server with HTTP requests to module upload endpoints to surface bypass attempts.

Monitoring Recommendations

  • Enable PHP and web server logging at sufficient verbosity to capture full multipart upload metadata for forensic review.
  • Alert on MISP application errors referencing FileAccessTool::readAndDelete outside of expected upload workflows.
  • Track privileged MISP user activity, since the vulnerability requires high privileges to exploit.

How to Mitigate CVE-2025-66384

Immediate Actions Required

  • Upgrade MISP to version 2.5.24 or later, which contains the corrected validation logic.
  • Audit MISP user accounts and revoke unnecessary high-privilege roles that can submit events with file uploads.
  • Review recent module upload activity for signs of tmp_name manipulation prior to patching.

Patch Information

The fix is included in MISP 2.5.24. The patch restructures the conditional in app/Controller/EventsController.php to require that the error code, tmp_name presence, and is_uploaded_file() checks all evaluate to true. See the MISP v2.5.23 to v2.5.24 comparison and the security commit 6867f0d for details.

Workarounds

  • Restrict access to MISP event submission and module upload endpoints to a minimal set of trusted accounts until patching is complete.
  • Place MISP behind a reverse proxy or WAF rule that rejects multipart uploads with tmp_name fields containing path traversal characters or absolute paths.
  • Disable optional MISP modules that rely on file uploads if they are not required by the deployment.
bash
# Upgrade MISP to the patched release
cd /var/www/MISP
sudo -u www-data git fetch --tags
sudo -u www-data git checkout v2.5.24
sudo -u www-data git submodule update --init --recursive
sudo systemctl restart apache2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.