Summary of CVE-2025-24366: Vulnerability in SFTPGo
CVE-2025-24366 is a newly identified security vulnerability in SFTPGo, an open-source, event-driven file transfer solution. This vulnerability was reported to the National Vulnerability Database (NVD) on February 7, 2025, but has not yet undergone detailed analysis. SFTPGo allows users to execute a defined set of commands over SSH, including optional commands such as rsync. In its default configuration, rsync is disabled and limited to the local filesystem, making it ineffective with cloud or remote storage backends.
The issue arises from inadequate sanitization of the client-provided rsync command. Consequently, an authenticated remote user can manipulate certain options within the rsync command to read or write files using the permissions of the SFTPGo server process. The vulnerability was addressed in version 2.6.5 of SFTPGo by implementing checks for the arguments supplied by the client. Users are urged to update to this version to mitigate the risk, as no known workarounds are available.
CVSS Metrics
The Common Vulnerability Scoring System (CVSS) metrics for this vulnerability include classifications under different versions:
- CVSS Version 4.0, Version 3.x, and Version 2.0 are mentioned, but the specific severity scores and vectors are not provided within the summarized data.
- For CVSS 3.1, the vector is noted as:
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, highlighting aspects like network attack vector (AV:N), high complexity (AC:H), low privilege required (PR:L), and significant impact on confidentiality (C:H), integrity (I:H), and availability (A:H).
Weakness Enumeration
The vulnerability is categorized under the classification CWE-78, which signifies inadequate neutralization of special elements used in an operating system command, commonly termed ‘command injection’. This classification further emphasizes the nature of the vulnerability, indicating that it could allow attackers to inject commands due to improper handling of input data.
References and Recommendations
Users and administrators of SFTPGo are encouraged to consult the following resources for further details on the vulnerability:
- The official GitHub commit log detailing the changes made in response to the identification of this vulnerability: Github Commit.
- The advisory that outlines the security implications: GitHub Security Advisory.
Conclusion
CVE-2025-24366 represents a significant security concern for users of SFTPGo, particularly those who may rely on the rsync functionality. The vulnerability allows potential exploits that could lead to unauthorized file access or modification. Thus, timely updates to the latest version (v2.6.5 and beyond) are crucial for ensuring the integrity and security of file transfers conducted through SFTPGo. As this vulnerability has been newly introduced, further analyses and discussions in the cybersecurity community will likely follow to better assess its implications and potential mitigation strategies.
For any further inquiries or comments, users can reach out to the NVD team via the provided contact details.