CVE-2025-67442 Overview
CVE-2025-67442 is a directory traversal vulnerability affecting EVE-NG 6.4.0-13-PRO, a network emulation platform widely used for lab simulations and training. The flaw resides in the /api/export interface, which permits authenticated users to export lab files. The endpoint fails to properly validate or sanitize file path parameters supplied by the user. Attackers with valid credentials can traverse the file system outside the intended lab directory and access sensitive files on the host. The weakness is classified as [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
Authenticated attackers can read arbitrary files from the EVE-NG host through the lab export endpoint, exposing configuration data and system files.
Affected Products
- EVE-NG Professional 6.4.0-13
Discovery Timeline
- 2025-12-19 - CVE-2025-67442 published to the National Vulnerability Database (NVD)
- 2026-01-02 - Last updated in NVD database
Technical Details for CVE-2025-67442
Vulnerability Analysis
The vulnerability exists in the /api/export REST endpoint exposed by the EVE-NG Professional web application. The endpoint accepts a file path parameter that designates which lab file an authenticated user wishes to export. The application trusts the supplied path and uses it directly in file system operations without enforcing a canonical base directory. As a result, an authenticated user can submit traversal sequences such as ../ to escape the intended lab directory. The flaw permits read access to files outside the application's data scope, including sensitive system configuration files readable by the service account.
Root Cause
The root cause is the absence of input validation and path normalization on user-supplied file path parameters. The application does not resolve the requested path against an allow-listed base directory before performing the export operation. It also does not filter traversal sequences or restrict access to file extensions associated with lab artifacts.
Attack Vector
Exploitation requires network access to the EVE-NG web interface and a valid authenticated session with at least low-privilege credentials. The attacker sends a crafted request to /api/export containing relative path traversal sequences in the file parameter. The server resolves the manipulated path and returns the contents of arbitrary files accessible to the EVE-NG service. No user interaction is required beyond the authenticated session. Technical details and proof-of-concept material are documented in the public PoC writeup.
Detection Methods for CVE-2025-67442
Indicators of Compromise
- HTTP requests to /api/export containing path traversal sequences such as ../, ..%2f, or URL-encoded equivalents in path parameters.
- Unexpected access to files outside standard EVE-NG lab directories (typically /opt/unetlab/labs/).
- Export operations returning unusually large files or files with extensions other than .unl.
Detection Strategies
- Inspect web server and application logs for /api/export requests containing encoded or unencoded directory traversal patterns.
- Correlate authenticated user sessions with anomalous export volumes or atypical file path parameters.
- Deploy web application firewall (WAF) rules to flag traversal patterns targeting the EVE-NG API surface.
Monitoring Recommendations
- Enable verbose access logging on the EVE-NG web interface and forward logs to a centralized SIEM for retention and analysis.
- Monitor file system reads performed by the EVE-NG service process for access to sensitive paths such as /etc/passwd, /etc/shadow, or configuration directories.
- Alert on repeated failed or successful export requests from a single authenticated account within a short time window.
How to Mitigate CVE-2025-67442
Immediate Actions Required
- Restrict network access to the EVE-NG management interface to trusted administrative networks only.
- Audit existing user accounts and remove unused or low-trust accounts that have access to the export functionality.
- Review web server logs for prior exploitation attempts referencing /api/export with traversal sequences.
Patch Information
No vendor advisory or patch reference was published in the NVD entry at the time of writing. Operators should monitor the EVE-NG vendor channels for an official fix and apply updates as soon as they become available. Until a patch is released, apply the workarounds below.
Workarounds
- Place a reverse proxy or WAF in front of EVE-NG and block requests to /api/export containing ../, ..\, or URL-encoded traversal sequences.
- Enforce strict authentication policies, including strong passwords and multi-factor authentication where supported, to reduce the pool of accounts that could abuse the endpoint.
- Run EVE-NG with the least operating system privileges practical to limit the scope of files readable through the traversal.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

