CVE-2025-54307

Name of the Vulnerable Software and Affected Versions Thermo Fisher Torrent Suite version 5.18.1

Description The Django application within Thermo Fisher Torrent Suite has a flaw related to file uploads. The /configure/plugins/plugin/upload/zip/ and /configure/newupdates/offline/bundle/upload/ API endpoints allow authenticated users to upload ZIP files. The plupload file upload function inadequately sanitizes file names, leading to a path traversal issue. This allows an attacker to write arbitrary files to the server, potentially overwriting executables like pdflatex. The write report pdf function then executes this overwritten file using subprocess.Popen when processing requests to the /report/latex/(d+).pdf endpoint, resulting in remote code execution. The name parameter and uploaded filename are used to construct the destination file path without proper sanitization.

Recommendations Ensure that all input file names are thoroughly sanitized before constructing file paths. Implement strict validation of file extensions and restrict the characters allowed in file names to prevent path traversal. As a temporary workaround, consider restricting access to the /configure/plugins/plugin/upload/zip/ and /configure/newupdates/offline/bundle/upload/ API endpoints.