CVE-2025-55149

Description

## Description A critical path traversal vulnerability (CWE-22) has been identified in the `review_paper` function in `backend/app.py`. The vulnerability allows malicious users to access arbitrary PDF files on the server by providing crafted file paths that bypass the intended security restrictions. ## Impact This vulnerability allows attackers to: - Read any PDF file accessible to the server process - Potentially access sensitive documents outside the intended directory - Perform reconnaissance on the server's file system structure ## Vulnerable Code The issue occurs in the `review_paper` function around line 744: ```python if pdf_path.startswith("/api/files/"): # Safe path handling for API routes relative_path = pdf_path[len("/api/files/"):] generated_base = os.path.join(project_root, "generated") absolute_pdf_path = os.path.join(generated_base, relative_path) else: absolute_pdf_path = pdf_path # VULNERABLE: Direct use of user input ``` ## Proof of Concept ```bash curl -X POST http://localhost:5000/api/review \ -H "Content-Type: application/json" \ -d '{"pdf_path": "/etc/passwd"}' ``` ## Credit This vulnerability was discovered and reported by Ruizhe.

How to fix CVE-2025-55149

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2025-55149 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, <= 1.1.0

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-55149
• PATCHgithub.com/ulab-uiuc/tiny-scientist
• WEBgithub.com/ulab-uiuc/tiny-scientist/commit/7fd42873603012acb8c55a4fc3eaac9ab18e6559
• WEBgithub.com/ulab-uiuc/tiny-scientist/security/advisories/GHSA-rrgf-hcr9-jq6h