Skip to main content

Servicestack EUVDEUVD-2025-19131

| CVE-2025-6445 HIGH
Path Traversal (CWE-22)
2025-06-25 zdi-disclosures@trendmicro.com
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 23:19 euvd
EUVD-2025-19131
Analysis Generated
Mar 15, 2026 - 23:19 vuln.today
CVE Published
Jun 25, 2025 - 18:15 nvd
HIGH 8.1

DescriptionCVE.org

ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ServiceStack. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the implementation of the FindType method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25837.

AnalysisAI

CVE-2025-6445 is a critical directory traversal vulnerability in ServiceStack's FindType method that allows remote attackers to execute arbitrary code without authentication. The vulnerability stems from insufficient path validation in file operations, enabling attackers to traverse the filesystem and execute malicious code in the context of the affected application process. With a CVSS score of 8.1 and network-based attack vector, this vulnerability poses significant risk to ServiceStack deployments, though exploitation requires application-level interaction with the vulnerable FindType method.

Technical ContextAI

ServiceStack is a popular open-source .NET web services framework that provides rapid development capabilities for REST and SOAP services. The vulnerability resides in the FindType method implementation, which fails to properly validate user-supplied path parameters before using them in file system operations. This is a classic CWE-22 (Path Traversal) vulnerability where an attacker can use path traversal sequences (e.g., '../', '..\') to access files outside the intended directory scope. Once arbitrary files are accessible through path traversal, the attacker can potentially load and execute malicious code through ServiceStack's reflection and type-loading mechanisms. The vulnerability affects ServiceStack versions across multiple platforms where the FindType method is exposed to user input, typically through HTTP request parameters or service method arguments.

RemediationAI

  1. IMMEDIATE: Update ServiceStack to the latest patched version released by the vendor (version specifics should be verified in official ServiceStack security advisory - typically a point release addressing CVE-2025-6445). 2. VALIDATION WORKAROUND (pre-patch): Implement strict input validation on any user-supplied path parameters passed to FindType or related methods - whitelist acceptable paths, reject traversal sequences ('../', '..\', and encoded variants), and use Path.GetFullPath() with directory containment checks. 3. NETWORK SEGMENTATION: Restrict network access to ServiceStack endpoints to trusted sources if immediate patching is delayed. 4. DISABLE EXPOSED METHODS: If FindType functionality is not required by the application, disable or restrict access to it through application configuration or IIS/reverse proxy rules. 5. MONITORING: Implement logging and alerting for requests containing path traversal sequences to the affected endpoints. Consult official ServiceStack security advisories (likely at github.com/ServiceStack/ServiceStack) and nuget.org for patched package versions.

Share

EUVD-2025-19131 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy