{"id":"CVE-2025-1025","details":"Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.","aliases":["GHSA-wp68-xrfg-xvq4"],"modified":"2026-03-20T04:22:14.026012Z","published":"2025-02-05T05:15:10.517Z","references":[{"type":"WEB","url":"https://gist.github.com/CHOOCS/fe1227443544d5d74c33982814f290af"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-PHP-COCKPITHQCOCKPIT-8516320"},{"type":"FIX","url":"https://github.com/Cockpit-HQ/Cockpit/commit/984ef9ad270357b843af63c81db95178eae42cae"},{"type":"FIX","url":"https://github.com/Cockpit-HQ/Cockpit/commit/becca806c7071ecc732521bb5ad0bb9c64299592"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/Cockpit-HQ/Cockpit","events":[{"introduced":"0"},{"fixed":"af86ab1d0f48b60be3d467e4fa80b775965a3d05"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.4.1"}]}},{"type":"GIT","repo":"https://github.com/cockpit-hq/cockpit","events":[{"introduced":"0"},{"fixed":"984ef9ad270357b843af63c81db95178eae42cae"},{"fixed":"becca806c7071ecc732521bb5ad0bb9c64299592"}]}],"versions":["2.0.0","2.0.1","2.0.2","2.1.0","2.1.1","2.1.2","2.2.0","2.2.1","2.2.2","2.3.0","2.3.1","2.3.2","2.3.3","2.3.4","2.3.5","2.3.6","2.3.7","2.3.8","2.3.9","2.4.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-1025.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}