CVE-2026-25525: OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module
The Dataflow module in OpenMage LTS uses a weak blacklist filter (str_replace('../', '', $input)) to prevent path traversal attacks. This filter can be bypassed using patterns like ..././ or ....//, which after the replacement still result in ../. An authenticated administrator can exploit this to read arbitrary files from the server filesystem.
| Metric | Value | Justification |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable via admin panel |
| Attack Complexity (AC) | Low | Simple bypass pattern |
| Privileges Required (PR) | High | Requires admin authentication |
| User Interaction (UI) | None | No additional user interaction needed |
| Scope (S) | Unchanged | Impacts the vulnerable component |
| Confidentiality (C) | High | Can read sensitive system files |
| Integrity (I) | None | Read-only vulnerability |
| Availability (A) | None | No impact on availability |
References
- github.com/OpenMage/magento-lts
- github.com/OpenMage/magento-lts/pull/5445
- github.com/OpenMage/magento-lts/releases/tag/v20.17.0
- github.com/OpenMage/magento-lts/security/advisories/GHSA-6vqf-6fhm-7rc6
- github.com/advisories/GHSA-6vqf-6fhm-7rc6
- hackerone.com/reports/3482926
- nvd.nist.gov/vuln/detail/CVE-2026-25525
Code Behaviors & Features
Detect and mitigate CVE-2026-25525 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →