CVE-2025-7895 Overview
A critical unrestricted file upload vulnerability has been identified in harry0703 MoneyPrinterTurbo versions up to and including 1.2.6. The vulnerability exists in the upload_bgm_file function within the app/controllers/v1/video.py file, specifically in the File Extension Handler component. This flaw allows attackers to bypass file type restrictions and upload arbitrary files, potentially leading to remote code execution on affected systems.
Critical Impact
Remote attackers can exploit insufficient file extension validation to upload malicious files, potentially gaining unauthorized access or executing arbitrary code on servers running vulnerable versions of MoneyPrinterTurbo.
Affected Products
- harry0703 MoneyPrinterTurbo versions up to 1.2.6
Discovery Timeline
- 2025-07-20 - CVE-2025-7895 published to NVD
- 2025-11-20 - Last updated in NVD database
Technical Details for CVE-2025-7895
Vulnerability Analysis
This vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-284 (Improper Access Control). The vulnerable function upload_bgm_file in the video controller fails to properly validate file extensions before processing uploaded files. This allows attackers to upload files with dangerous extensions that could be executed by the server or used to compromise the application.
The attack can be launched remotely over the network, requiring low privileges but no user interaction. The vulnerability affects the confidentiality, integrity, and availability of the system, as successful exploitation could allow attackers to read sensitive data, modify system files, or disrupt service availability.
Root Cause
The root cause of this vulnerability lies in the inadequate validation of file extensions within the File Extension Handler component. The upload_bgm_file function in app/controllers/v1/video.py does not implement proper checks to ensure that uploaded files conform to expected file types. This oversight allows attackers to manipulate the file argument to upload files with arbitrary extensions, bypassing intended security restrictions.
Attack Vector
The attack vector is network-based, allowing remote exploitation. An authenticated attacker with low-level privileges can craft malicious requests to the file upload endpoint, manipulating the file parameter to upload arbitrary file types. The lack of proper file extension validation means that dangerous file types such as executable scripts, web shells, or configuration files could be uploaded to the server.
Successful exploitation could enable an attacker to:
- Upload web shells for persistent access
- Execute arbitrary code on the server
- Modify application configurations
- Access sensitive data stored on the system
For detailed technical information about this vulnerability, refer to the VulDB entry.
Detection Methods for CVE-2025-7895
Indicators of Compromise
- Unusual file uploads to the BGM upload endpoint with unexpected file extensions
- Presence of executable files or scripts in upload directories
- Web shell files appearing in application directories
- Unexpected HTTP requests to the /v1/video endpoint with file upload parameters
Detection Strategies
- Monitor file upload endpoints for attempts to upload files with suspicious extensions such as .php, .py, .sh, .exe, or .jsp
- Implement file integrity monitoring on upload directories to detect unauthorized file additions
- Review web application logs for anomalous upload patterns or repeated failed upload attempts
- Deploy web application firewall (WAF) rules to inspect and block malicious file upload attempts
Monitoring Recommendations
- Enable detailed logging for the upload_bgm_file function and related file upload operations
- Set up alerts for file uploads that bypass extension validation or contain suspicious content
- Monitor server processes for execution of files from upload directories
- Implement regular security scans of application directories to identify potentially malicious files
How to Mitigate CVE-2025-7895
Immediate Actions Required
- Upgrade MoneyPrinterTurbo to a version newer than 1.2.6 when available
- Review and restrict file upload permissions on the affected endpoint
- Implement additional file type validation at the application and server level
- Audit upload directories for any suspicious files that may have been uploaded
Patch Information
As of the last update, users should check the official harry0703 MoneyPrinterTurbo repository for security patches addressing this vulnerability. Monitor vendor communications for patch releases that address the unrestricted file upload issue in the upload_bgm_file function.
Workarounds
- Implement a whitelist of allowed file extensions for the BGM upload functionality, permitting only audio formats such as .mp3, .wav, and .ogg
- Add server-side validation to verify file content matches the declared file type using MIME type checking
- Configure web server to prevent execution of uploaded files by disabling script execution in upload directories
- Restrict access to the vulnerable endpoint to trusted users only until a patch is available
- Consider using a separate storage service for uploads that is isolated from the application server
# Example nginx configuration to prevent script execution in upload directories
location /uploads/ {
# Disable script execution
location ~ \.(php|py|sh|pl|cgi)$ {
deny all;
}
# Only allow audio file types
location ~ \.(mp3|wav|ogg|flac|aac)$ {
allow all;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
