Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ServiceStack. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the implementation of the FindType method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25837.
AnalysisAI
CVE-2025-6445 is a critical directory traversal vulnerability in ServiceStack's FindType method that allows remote attackers to execute arbitrary code without authentication. The vulnerability stems from insufficient path validation in file operations, enabling attackers to traverse the filesystem and execute malicious code in the context of the affected application process. With a CVSS score of 8.1 and network-based attack vector, this vulnerability poses significant risk to ServiceStack deployments, though exploitation requires application-level interaction with the vulnerable FindType method.
Technical ContextAI
ServiceStack is a popular open-source .NET web services framework that provides rapid development capabilities for REST and SOAP services. The vulnerability resides in the FindType method implementation, which fails to properly validate user-supplied path parameters before using them in file system operations. This is a classic CWE-22 (Path Traversal) vulnerability where an attacker can use path traversal sequences (e.g., '../', '..\') to access files outside the intended directory scope. Once arbitrary files are accessible through path traversal, the attacker can potentially load and execute malicious code through ServiceStack's reflection and type-loading mechanisms. The vulnerability affects ServiceStack versions across multiple platforms where the FindType method is exposed to user input, typically through HTTP request parameters or service method arguments.
RemediationAI
- IMMEDIATE: Update ServiceStack to the latest patched version released by the vendor (version specifics should be verified in official ServiceStack security advisory - typically a point release addressing CVE-2025-6445). 2. VALIDATION WORKAROUND (pre-patch): Implement strict input validation on any user-supplied path parameters passed to FindType or related methods - whitelist acceptable paths, reject traversal sequences ('../', '..\', and encoded variants), and use Path.GetFullPath() with directory containment checks. 3. NETWORK SEGMENTATION: Restrict network access to ServiceStack endpoints to trusted sources if immediate patching is delayed. 4. DISABLE EXPOSED METHODS: If FindType functionality is not required by the application, disable or restrict access to it through application configuration or IIS/reverse proxy rules. 5. MONITORING: Implement logging and alerting for requests containing path traversal sequences to the affected endpoints. Consult official ServiceStack security advisories (likely at github.com/ServiceStack/ServiceStack) and nuget.org for patched package versions.
More in Servicestack
View allServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken functio
ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). Rated medium severity (CVSS 6.1),
ServiceStack GetErrorResponse Improper Input Validation NTLM Relay Vulnerability. This vulnerability allows remote attac
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-19131