← volver
CVE-2025-55149

Path Traversal Vulnerability in PDF Review Function (CWE-22)

CVSS 6.7 MEDIUMEPSS 0.6%CWE-22
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.7EPSS 0.6%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
09 ago 2025Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Tiny-Scientist is a lightweight framework for automating the entire lifecycle of scientific research—from ideation to implementation, writing, and review. In versions 0.1.1 and below, a critical path traversal vulnerability has been identified in the review_paper function in backend/app.py. The vulnerability allows malicious users to access arbitrary PDF files on the server by providing crafted file paths that bypass the intended security restrictions. This vulnerability allows attackers to: read any PDF file accessible to the server process, potentially access sensitive documents outside the intended directory and perform reconnaissance on the server's file system structure. This issue does not currently have a fix.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
Productos afectados
ulab-uiuc · tiny-scientist