CVE-2025-1025: 
PHP vulnerability analysis and mitigation

A vulnerability has been identified in cockpit-hq/cockpit versions before 2.4.1, tracked as CVE-2025-1025. The vulnerability allows attackers to perform Arbitrary File Upload by bypassing the upload filter using different file extensions. This vulnerability was disclosed on December 16, 2024, and published on February 5, 2025 (NVD, Snyk).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue stems from insufficient upload filtering in the assets manager, where attackers can bypass the upload filter using extensions like .phar or .phtml to achieve Remote Code Execution (RCE). The vulnerability has received a CVSS v4.0 score of 7.7 (HIGH) and CVSS v3.1 score of 7.5 (HIGH), indicating significant potential impact (NVD, GitHub Commit).

The vulnerability allows attackers to bypass upload filters and potentially execute arbitrary code on the affected system through malicious file uploads. This can lead to Remote Code Execution (RCE), significantly compromising the integrity of the affected system (GitHub PoC).

The vulnerability has been fixed in version 2.4.1 of cockpit-hq/cockpit. The fix implements additional security checks for uploading files by expanding the list of blocked file extensions to include 'php', 'phar', and 'phtml'. Users should upgrade to version 2.4.1 or later to mitigate this vulnerability (GitHub Commit).