{"id":3312,"date":"2025-03-13T14:53:38","date_gmt":"2025-03-13T12:53:38","guid":{"rendered":"https:\/\/certitude.consulting\/blog\/?p=3312"},"modified":"2025-03-13T14:53:39","modified_gmt":"2025-03-13T12:53:39","slug":"bolt-cms","status":"publish","type":"post","link":"https:\/\/certitude.consulting\/blog\/en\/bolt-cms\/","title":{"rendered":"CVE-2025-25599: A Cautionary Tale of Insecure Temporary Files"},"content":{"rendered":"\n

During a security assessment of Bolt<\/a>, an open-source content management system, it was discovered that temporary files are used insecurely<\/em> when uploading an avatar from a URL, leading to arbitrary file disclosure (CVE-2025-25599<\/a>):<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The source code<\/a> for the backend function which handles such requests is listed below. Note the four lines highlighted<\/strong>; we can see that the backend performs these steps in the following order:<\/p>\n\n\n\n

    \n
  1. A temporary folder is created<\/li>\n\n\n\n
  2. The file pointed to by the URL is downloaded into the temporary folder<\/li>\n\n\n\n
  3. The function handleUpload<\/code> is executed<\/li>\n\n\n\n
  4. The temporary file is deleted<\/li>\n<\/ol>\n\n\n\n
    \/**\n * @Route(\"\/upload-url\", name=\"bolt_async_upload_url\", methods={\"POST\"})\n *\/\npublic function handleURLUpload(Request $request): Response\n{\n    try {\n        $this->validateCsrf('upload');\n    } catch (InvalidCsrfTokenException $e) {\n        return new JsonResponse([\n            'error' => [\n                'message' => 'Invalid CSRF token',\n            ],\n        ], Response::HTTP_FORBIDDEN);\n    }\n\n    $url = $request->get('url', '');\n    $filename = basename($url);\n\n    $locationName = $request->get('location', '');\n    $path = $request->get('path') . $filename;\n    $folderpath = $this->config->getPath($locationName, true, 'tmp\/');\n    $target = $this->config->getPath($locationName, true, 'tmp\/' . $path);\n\n    try {\n        \/\/ Make sure temporary folder exists\n        $this->filesystem->mkdir($folderpath);<\/mark><\/strong>\n        \/\/ Create temporary file\n        $this->filesystem->copy($url, $target);<\/mark><\/strong>\n    } catch (Throwable $e) {\n        return new JsonResponse([\n            'error' => [\n                'message' => $e->getMessage(),\n            ],\n        ], Response::HTTP_BAD_REQUEST);\n    }\n\n    $file = new UploadedFile($target, $filename);\n    $bag = new FileBag();\n    $bag->add([$file]);\n    $request->files = $bag;\n\n    $response = $this->handleUpload($request);<\/mark><\/strong>\n\n    \/\/ The file is automatically deleted. It may be that we don't need this.\n    $this->filesystem->remove($target);<\/mark><\/strong>\n\n    return $response;\n}<\/code><\/pre>\n\n\n\n
    Looking at the source code<\/a> for handleUpload<\/code>, we see that before setting a new avatar, various validation checks are carried out against the file size, extension, and contents. If all checks pass, only then is the user\u2019s avatar updated.<\/p>\n\n\n\n
    ...SNIP...<\/em>\n$acceptedFileTypes = array_merge($this->config->getMediaTypes()->toArray(), $this->config->getFileTypes()->toArray());\n$maxSize = $this->config->getMaxUpload();\n\n$uploadHandler->addRule(\n    'extension',\n    ['allowed' => $acceptedFileTypes],\n    'The file for field \\'{label}\\' was <u>not<\/u> uploaded. It should be a valid file type. Allowed are <code>' . implode('<\/code>, <code>', $acceptedFileTypes) . '.',\n    'Upload file'\n);\n\n$uploadHandler->addRule(\n    'size',\n    ['size' => $maxSize],\n    'The file for field \\'{label}\\' was <u>not<\/u> uploaded. The upload can have a maximum filesize of <b>' . $this->textExtension->formatBytes($maxSize) . '<\/b>.',\n    'Upload file'\n);\n\n$uploadHandler->addRule(\n    'callback',\n    ['callback' => [$this, 'checkJavascriptInSVG']],\n    'It is not allowed to upload SVG\\'s with embedded Javascript.',\n    'Upload file'\n);\n\n$uploadHandler->setSanitizerCallback(function ($name) {\n    return $this->sanitiseFilename($name);\n});\n...SNIP...<\/em><\/code><\/pre>\n\n\n\n
    So, what is the issue? It turns out that the temporary folder is [BOLT_PATH]\/public\/files\/tmp<\/code>, which, as the name suggests, is publicly accessible<\/em> (e.g. http:\/\/example.com\/files\/tmp\/<\/a>). This means that for the few milliseconds they exist, temporary files may be downloaded<\/em>. Furthermore, avatar URLs are not properly validated, and it is possible to \u201cupload\u201d local files using the file:\/\/<\/code> protocol, e.g. file:\/\/\/etc\/passwd<\/a>.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Either by reviewing the source code, or by monitoring the temporary folder, we can determine the naming convention for temporary files. In the case of \/etc\/passwd<\/code>, a temporary file called avatarspasswd<\/code> is created.<\/p>\n\n\n\n
    root@host:\/opt\/bolt\/public\/files\/tmp# while [ 1==1 ]; do ls; done \navatarspasswd \navatarspasswd \navatarspasswd \navatarspasswd \navatarspasswd \n^C<\/code><\/pre>\n\n\n\n
    This means that if an attacker were able to time the request correctly, they could download the file from http:\/\/example.com\/files\/tmp\/avatarspasswd<\/a>. To demonstrate this exploit manually, we can first set up the following BurpSuite Intruder attack to spam download attempts:<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Next, intercept a request to upload an avatar from file:\/\/\/etc\/passwd<\/code> and send it to Repeater:<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    With both ready, we can go ahead and start the Intruder attack, then spam the upload request. The goal is to send a request to download the temporary file before it gets deleted<\/em>. If the attack was successfull, there will be a few responses with a 200 OK<\/code> status code, containing the contents of \/etc\/passwd<\/code>.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Conclusion<\/strong><\/h2>\n\n\n\n
    Patches addressing this issue on the 5.1.x<\/a> and 5.2.x<\/a> branches were released on 2025-03-11<\/strong>. Our full advisory is available here<\/a>.<\/p>\n\n\n\n
    A Docker container for testing, as well as a proof of concept script for reproducing this exploit is available on our GitHub<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
    During a security assessment of Bolt, an open-source content management system, it was discovered that temporary files are used insecurely when uploading an avatar from a URL, leading to arbitrary file disclosure (CVE-2025-25599): The source code for the backend function which handles such requests is listed below. Note the four lines highlighted; we can see […]<\/p>\n","protected":false},"author":18,"featured_media":3414,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60,103],"tags":[645,647,649,651],"class_list":["post-3312","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technical-analysis","category-vulnerability-research-en","tag-bolt","tag-cms","tag-file-upload","tag-local-file-disclosure"],"_links":{"self":[{"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/posts\/3312","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/users\/18"}],"replies":[{"embeddable":true,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/comments?post=3312"}],"version-history":[{"count":7,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/posts\/3312\/revisions"}],"predecessor-version":[{"id":3415,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/posts\/3312\/revisions\/3415"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/media\/3414"}],"wp:attachment":[{"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/media?parent=3312"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/categories?post=3312"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/tags?post=3312"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}