CVE-2025-24971

OS Command Injection endpoint '/upload/init' parameter 'filename' (RCE) in DumpDrop

CVSS 9.5 CRITICALEPSS 3.2%CWE-78

Vexday Risk Score

48Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.5EPSS 3.2%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

04 Feb 2025Published on NVD

20 Feb 2025Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

DumpDrop is a stupid simple file upload application that provides an interface for dragging and dropping files. An OS Command Injection vulnerability was discovered in the DumbDrop application, `/upload/init` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely when the **Apprise Notification** enabled. This issue has been addressed in commit `4ff8469d` and all users are advised to patch. There are no known workarounds for this vulnerability.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected products

DumbWareio · DumbDrop

public PoCs found — 1

githubgithub.com/be4zad/CVE-2025-24971★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/DumbWareio/DumbDrop/commit/4ff8469d69019d200046a67d326f51703bc4da63 https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-rx8m-jqm7-vcgp