CVE-2025-55149

描述

## Description A critical path traversal vulnerability (CWE-22) has been identified in the `review_paper` function in `backend/app.py`. The vulnerability allows malicious users to access arbitrary PDF files on the server by providing crafted file paths that bypass the intended security restrictions. ## Impact This vulnerability allows attackers to: - Read any PDF file accessible to the server process - Potentially access sensitive documents outside the intended directory - Perform reconnaissance on the server's file system structure ## Vulnerable Code The issue occurs in the `review_paper` function around line 744: ```python if pdf_path.startswith("/api/files/"): # Safe path handling for API routes relative_path = pdf_path[len("/api/files/"):] generated_base = os.path.join(project_root, "generated") absolute_pdf_path = os.path.join(generated_base, relative_path) else: absolute_pdf_path = pdf_path # VULNERABLE: Direct use of user input ``` ## Proof of Concept ```bash curl -X POST http://localhost:5000/api/review \ -H "Content-Type: application/json" \ -d '{"pdf_path": "/etc/passwd"}' ``` ## Credit This vulnerability was discovered and reported by Ruizhe.

如何修補 CVE-2025-55149

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

• —未列出修補版本

CVE-2025-55149 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, <= 1.1.0

CVSS 分數

參考連結(4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-55149
• PATCHgithub.com/ulab-uiuc/tiny-scientist
• WEBgithub.com/ulab-uiuc/tiny-scientist/commit/7fd42873603012acb8c55a4fc3eaac9ab18e6559
• WEBgithub.com/ulab-uiuc/tiny-scientist/security/advisories/GHSA-rrgf-hcr9-jq6h