A crucial path traversal flaw in ZendTo has been assigned CVE-2025-34508 researchers found that variations 6.15–7 and prior allow authenticated customers to control file paths and retrieve delicate knowledge from the host system.
This subject underscores the persistent threat in web-based file switch functions.
Path Traversal Vulnerability (CVE-2025-34508)
ZendTo is a PHP-driven dropoff or pickup service that enables any registered consumer to add information for sharing. Through the “dropoff” course of, two variables chunkName and tmp_name decide how file uploads are staged and moved.
Horizon3.ai stories that the server-side sanitization routine strips non-alphanumeric characters from chunkName, but when an attacker provides a chunkName comprised solely of non-alphanumeric characters, the sanitization leaves an empty or dot-only string.
This leads to a chunkPath pointing to the foundation uploads listing quite than a singular momentary file:
As soon as chunkPath is established, the code concatenates a user-controlled tmp_name to relocate the file into the goal dropoff listing:
As a result of tmp_name shouldn’t be sanitized, attackers can embed listing traversal sequences.
Downloading this file exposes the applying’s log knowledge, together with dropoff declare IDs, creating the way in which to enumerate and exfiltrate any user-uploaded content material or crucial system information.
Drop-off Abstract
Threat FactorsDetailsAffected ProductsZendTo variations 6.15–7 and priorImpactArbitrary file learn and knowledge disclosureExploit PrerequisitesLow-privilege authenticated userCVSS 3.1 Score7.8 (Excessive)
Mitigation
In default installations, file entry is proscribed to the www-root consumer’s permissions, but this usually encompasses all uploaded content material. Past consumer information, adversaries might goal the ZendTo database or supply code, probably inflicting a denial-of-service.
Though CVE-2025-34508 requires authentication, the minimal barrier permits low-privilege customers to carry out arbitrary file reads.
Directors are strongly urged to improve instantly. The repair implements stricter validation on each chunkName and tmp_name, making certain solely secure, anticipated filenames are processed.
This disclosure follows high-profile incidents involving MOVEit Switch (CVE-2023-34362), Accellion FTA (CVE-2021-27104), and GoAnywhere MFT (CVE-2023-0669), highlighting that file-sharing platforms stay prime targets.
Organizations should keep vigilant patch administration and conduct common safety critiques of their file switch functions.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
