Skip to main content

Pro-Bit CVE-2025-69428

| EUVD-2025-209579 HIGH
Files or Directories Accessible to External Parties (CWE-552)
2026-04-27 cve@mitre.org
Information Disclosure Path Traversal
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 28, 2026 - 16:23 vuln.today
CVSS changed
Apr 28, 2026 - 16:22 NVD
7.5 (HIGH)
EUVD ID Assigned
Apr 27, 2026 - 19:22 euvd
EUVD-2025-209579
Analysis Generated
Apr 27, 2026 - 19:22 vuln.today
CVE Published
Apr 27, 2026 - 19:16 nvd
HIGH 7.5

DescriptionNVD

An issue in Pro-Bit before v1.77.4 allows unauthenticated attackers to directly access sensitive directory and its subdirectories.

AnalysisAI

Unauthenticated directory traversal in Pro-Bit versions before 1.77.4 exposes sensitive directories and subdirectories to remote attackers without authentication. The vulnerability allows direct access to protected file system locations via network requests, enabling unauthorized information disclosure. EPSS score of 0.02% (6th percentile) indicates low observed exploitation probability in the wild, and no CISA KEV listing exists at time of analysis, suggesting limited active exploitation despite the CVSS 7.5 severity rating.

Technical ContextAI

Pro-Bit is affected by CWE-552 (Files or Directories Accessible to External Parties), a vulnerability class where improper access controls allow unauthorized retrieval of files or directory listings that should be restricted. The CVSS vector indicates a network-based attack with low complexity and no authentication requirements, suggesting the application fails to properly validate path traversal attempts or enforce authorization checks on directory access requests. This typically occurs when web applications serve static files without proper canonicalization of user-supplied paths or when default configurations expose internal directory structures. The high confidentiality impact (C:H) with no integrity or availability impact indicates this is purely an information disclosure issue where attackers can read but not modify or disrupt system resources.

RemediationAI

Upgrade Pro-Bit to version 1.77.4 or later, which addresses the directory traversal vulnerability according to the CVE description. Consult the GitHub repository at https://github.com/jasetpen/CVE-2025-69428 for technical details and potential workaround guidance if immediate patching is not feasible. If upgrade is delayed, implement compensating controls: configure web server rules to explicitly deny access to sensitive directories (such as configuration folders, backup directories, or administrative paths), deploy a web application firewall with path traversal detection rules to block suspicious requests containing directory traversal sequences, and restrict Pro-Bit instance network exposure to trusted IP ranges only. Review web server access logs for anomalous directory access patterns (repeated 404s, path traversal attempts) to detect potential exploitation attempts. Note that WAF-based blocking may generate false positives if legitimate application workflows involve nested directory access, requiring tuning of detection rules.

Share

CVE-2025-69428 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy