Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67442

CVE-2025-67442: Eve-ng Path Traversal Vulnerability

CVE-2025-67442 is a path traversal flaw in Eve-ng 6.4.0-13-PRO that allows authenticated users to exploit the /api/export interface due to inadequate input validation. This post covers technical details, impact, and mitigation.

Published:

CVE-2025-67442 Overview

CVE-2025-67442 is a directory traversal vulnerability affecting EVE-NG 6.4.0-13-PRO, a network emulation platform widely used for lab simulations and training. The flaw resides in the /api/export interface, which permits authenticated users to export lab files. The endpoint fails to properly validate or sanitize file path parameters supplied by the user. Attackers with valid credentials can traverse the file system outside the intended lab directory and access sensitive files on the host. The weakness is classified as [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory).

Critical Impact

Authenticated attackers can read arbitrary files from the EVE-NG host through the lab export endpoint, exposing configuration data and system files.

Affected Products

  • EVE-NG Professional 6.4.0-13

Discovery Timeline

  • 2025-12-19 - CVE-2025-67442 published to the National Vulnerability Database (NVD)
  • 2026-01-02 - Last updated in NVD database

Technical Details for CVE-2025-67442

Vulnerability Analysis

The vulnerability exists in the /api/export REST endpoint exposed by the EVE-NG Professional web application. The endpoint accepts a file path parameter that designates which lab file an authenticated user wishes to export. The application trusts the supplied path and uses it directly in file system operations without enforcing a canonical base directory. As a result, an authenticated user can submit traversal sequences such as ../ to escape the intended lab directory. The flaw permits read access to files outside the application's data scope, including sensitive system configuration files readable by the service account.

Root Cause

The root cause is the absence of input validation and path normalization on user-supplied file path parameters. The application does not resolve the requested path against an allow-listed base directory before performing the export operation. It also does not filter traversal sequences or restrict access to file extensions associated with lab artifacts.

Attack Vector

Exploitation requires network access to the EVE-NG web interface and a valid authenticated session with at least low-privilege credentials. The attacker sends a crafted request to /api/export containing relative path traversal sequences in the file parameter. The server resolves the manipulated path and returns the contents of arbitrary files accessible to the EVE-NG service. No user interaction is required beyond the authenticated session. Technical details and proof-of-concept material are documented in the public PoC writeup.

Detection Methods for CVE-2025-67442

Indicators of Compromise

  • HTTP requests to /api/export containing path traversal sequences such as ../, ..%2f, or URL-encoded equivalents in path parameters.
  • Unexpected access to files outside standard EVE-NG lab directories (typically /opt/unetlab/labs/).
  • Export operations returning unusually large files or files with extensions other than .unl.

Detection Strategies

  • Inspect web server and application logs for /api/export requests containing encoded or unencoded directory traversal patterns.
  • Correlate authenticated user sessions with anomalous export volumes or atypical file path parameters.
  • Deploy web application firewall (WAF) rules to flag traversal patterns targeting the EVE-NG API surface.

Monitoring Recommendations

  • Enable verbose access logging on the EVE-NG web interface and forward logs to a centralized SIEM for retention and analysis.
  • Monitor file system reads performed by the EVE-NG service process for access to sensitive paths such as /etc/passwd, /etc/shadow, or configuration directories.
  • Alert on repeated failed or successful export requests from a single authenticated account within a short time window.

How to Mitigate CVE-2025-67442

Immediate Actions Required

  • Restrict network access to the EVE-NG management interface to trusted administrative networks only.
  • Audit existing user accounts and remove unused or low-trust accounts that have access to the export functionality.
  • Review web server logs for prior exploitation attempts referencing /api/export with traversal sequences.

Patch Information

No vendor advisory or patch reference was published in the NVD entry at the time of writing. Operators should monitor the EVE-NG vendor channels for an official fix and apply updates as soon as they become available. Until a patch is released, apply the workarounds below.

Workarounds

  • Place a reverse proxy or WAF in front of EVE-NG and block requests to /api/export containing ../, ..\, or URL-encoded traversal sequences.
  • Enforce strict authentication policies, including strong passwords and multi-factor authentication where supported, to reduce the pool of accounts that could abuse the endpoint.
  • Run EVE-NG with the least operating system privileges practical to limit the scope of files readable through the traversal.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.