PT-2025-6001 · Sftpgo+1 · Sftpgo+1

Ateamjkr

Published

2025-02-07

Updated

2025-02-11

CVE-2025-24366

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions SFTPGo versions prior to v2.6.5

Description SFTPGo is an open source, event-driven file transfer solution that supports execution of a defined set of commands via SSH, including the optional rsync command. Due to missing sanitization of the client provided rsync command, an authenticated remote user can use some options of the rsync command to read or write files with the permissions of the SFTPGo server process.

Recommendations For versions prior to v2.6.5, upgrade to version v2.6.5 or later to fix the issue by checking the client provided arguments. As a temporary workaround, consider disabling the rsync command until a patch is available. Restrict access to the rsync command to minimize the risk of exploitation. Avoid using the rsync command with untrusted input until the issue is resolved.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2025-24366

GHSA-VJ7W-3M8C-6VPX

GO-2025-3458

OPENSUSE-SU-2025:14754-1

OPENSUSE-SU-2025_0429-1

SUSE-SU-2025:0429-1

Affected Products

Sftpgo

Suse

PT-2025-6001 · Sftpgo+1 · Sftpgo+1

CVE-2025-24366

Weakness Enumeration

Related Identifiers

Affected Products

References · 43