CVE-2022-25297
- Source
- https://cve.org/CVERecord?id=CVE-2022-25297
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-25297.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-25297
- Related
- Published
- 2022-02-21T08:15:06.607Z
- Modified
- 2026-02-01T11:02:45.794110Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
This affects the package drogonframework/drogon before 1.7.5. The unsafe handling of file names during upload using HttpFile::save() method may enable attackers to write files to arbitrary locations outside the designated target folder.
- References
-
- https://github.com/drogonframework/drogon/commit/3c785326c63a34aa1799a639ae185bc9453cb447
- https://github.com/drogonframework/drogon/pull/1174
- https://snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-2407243
- https://github.com/drogonframework/drogon/commit/3c785326c63a34aa1799a639ae185bc9453cb447
- https://github.com/drogonframework/drogon/pull/1174
- https://snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-2407243
- https://github.com/drogonframework/drogon/pull/1174
- https://snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-2407243
Affected packages
Git / github.com/drogonframework/drogon
Affected ranges
- Type
- GIT
- Repo
- https://github.com/drogonframework/drogon
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.0.0
v1.0.0-beta1
v1.0.0-beta10
v1.0.0-beta11
v1.0.0-beta12
v1.0.0-beta13
v1.0.0-beta14
v1.0.0-beta15
v1.0.0-beta16
v1.0.0-beta17
v1.0.0-beta18
v1.0.0-beta19
v1.0.0-beta2
v1.0.0-beta20
v1.0.0-beta21
v1.0.0-beta3
v1.0.0-beta4
v1.0.0-beta5
v1.0.0-beta6
v1.0.0-beta7
v1.0.0-beta8
v1.0.0-beta9
v1.1.0
v1.2.0
v1.3.0
v1.4.0
v1.4.1
v1.5.0
v1.5.1
v1.6.0
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-25297.json"
vanir_signatures
[
{
"source": "https://github.com/drogonframework/drogon/commit/3c785326c63a34aa1799a639ae185bc9453cb447",
"digest": {
"function_hash": "37057477960454672272932407177833032975",
"length": 722.0
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "HttpFileImpl::save",
"file": "lib/src/HttpFileImpl.cc"
},
"id": "CVE-2022-25297-245dfac0"
},
{
"source": "https://github.com/drogonframework/drogon/commit/3c785326c63a34aa1799a639ae185bc9453cb447",
"digest": {
"line_hashes": [
"329830697976169748614515796193646752348",
"296877909399723356704240062644499639609",
"246131006656457335295267660243000529304",
"299639677620053297613998212398280722258",
"332001847734061539945799738151853373849",
"193220407916038088474349069079872774557",
"177586148575868329591761710552160164831",
"330378742372019535368062478608716591465",
"217891348323817708651474763036026229803",
"40882387072610071076600600724306978688",
"310212331665395659482933475220839822141",
"156485776562964832749933879664501540185",
"159123746746997078854414405782887036574",
"293019432487315477077968734542701722475",
"163396601892015113289373512327901184316",
"178079586249692841531788483047937301695",
"113674775033782720742982292236164228004",
"64239049689787963407158555212187541021",
"292113121060057098615080165502850454901",
"153998383502790656132598179218907528462",
"79528832201786886281276716150670071726",
"173967634868149729839992819802876419748",
"165649300528987861743604615776849549378",
"31905345882675593451123168969502744789",
"198970178047627349696164571449837441804",
"153105893790276816082821765777959188552",
"14502310793105466117828250007032832634",
"209084964016979733833310577863521296907",
"1600634739889862514568236099897233305"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "lib/src/HttpFileImpl.cc"
},
"id": "CVE-2022-25297-57182182"
}
]