CVE-2025-34171: Unauthenticated File and Debug Data Exposure in CasaOS #
Vulnerability Overview #
| Field | Value |
|---|---|
| CVE ID | CVE-2025-34171, CVE-2025-59157 |
| Affects | CasaOS ≤ 0.4.15 |
| Fixed in | No Patch Available |
| Severity | Medium |
| CVSS 4.0 | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-862: Missing Authorization, CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere |
Executive Summary #
CasaOS versions up to and including 0.4.15 contain multiple unauthenticated API endpoints that expose sensitive configuration files, detailed system debug information, stored URLs, and information about user-installed services within CasaOS. The vulnerability can be exploited over the network without authentication, allowing disclosure of application metadata, host operating system details, and file existence information. This exposure significantly facilitates reconnaissance and may enable targeted follow-up attacks against services deployed on affected systems.
Security Impact #
- Information Disclosure - Unauthenticated attackers can remotely retrieve sensitive application configuration files and internal metadata, including stored URLs, installed services, and CasaOS configuration data.
- System Information Exposure – The vulnerability allows disclosure of detailed host information such as operating system, kernel version, hardware characteristics, and storage layout via exposed debug endpoints.
- Reconnaissance and Target Profiling – Distinct error messages enable file existence enumeration, significantly improving an attacker’s ability to map the underlying filesystem and identify high-value targets for follow-up attacks.
Technical Details #
Affected Versions #
- Vulnerable Versions: All CasaOS releases ≤ 0.4.15
- Patched Version: No patch available
Attack Vector #
CasaOS exposes multiple HTTP API endpoints that are accessible without authentication. The /v1/users/image endpoint processes a user-supplied path parameter intended to reference user images but fails to properly validate or constrain the input to the expected directory scope. As a result, crafted requests can cause the backend to access files located under /var/lib/casaos/1/, allowing retrieval of internal application configuration data and service metadata.
In addition, the /v1/sys/debug endpoint is publicly accessible and returns detailed system diagnostic information, including host operating system, kernel version, hardware characteristics, and storage details.
Both endpoints provide distinct and verbose error responses, which can be leveraged to infer the existence of files and directories on the underlying filesystem. The vulnerability is exploitable remotely over HTTP, requires no authentication, and does not depend on user interaction.
Proof of Concept #
POC will be available when the vulnerability will be patched
Immediate Actions #
- Avoid exposing CasaOS services directly to the internet until an official mitigation or patch is provided.