Home

Description

CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host.

PUBLISHED Reserved 2025-04-15 | Published 2026-01-03 | Updated 2026-01-05 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-862 Missing Authorization

CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

Product status

Default status
unaffected

Any version
affected

Credits

Mike G.A (Eyodav) finder

VulnCheck coordinator

References

casaos.zimaspace.com/ product

github.com/IceWhaleTech/CasaOS product

www.vulncheck.com/...henticated-file-and-debug-data-exposure third-party-advisory

cve.org (CVE-2025-34171)

nvd.nist.gov (CVE-2025-34171)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.