Vulnerability Details CVE-2025-34171
CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 41.3%
CVSS Severity
CVSS v3 Score 5.3
References
Products affected by CVE-2025-34171
-
cpe:2.3:o:icewhale:casaos:-
-
cpe:2.3:o:icewhale:casaos:0.1.0
-
cpe:2.3:o:icewhale:casaos:0.1.1
-
cpe:2.3:o:icewhale:casaos:0.1.10
-
cpe:2.3:o:icewhale:casaos:0.1.11
-
cpe:2.3:o:icewhale:casaos:0.1.2
-
cpe:2.3:o:icewhale:casaos:0.1.3
-
cpe:2.3:o:icewhale:casaos:0.1.4
-
cpe:2.3:o:icewhale:casaos:0.1.5
-
cpe:2.3:o:icewhale:casaos:0.1.6
-
cpe:2.3:o:icewhale:casaos:0.1.7
-
cpe:2.3:o:icewhale:casaos:0.1.8
-
cpe:2.3:o:icewhale:casaos:0.1.9
-
cpe:2.3:o:icewhale:casaos:0.2.0
-
cpe:2.3:o:icewhale:casaos:0.2.1
-
cpe:2.3:o:icewhale:casaos:0.2.10
-
cpe:2.3:o:icewhale:casaos:0.2.2
-
cpe:2.3:o:icewhale:casaos:0.2.3
-
cpe:2.3:o:icewhale:casaos:0.2.4
-
cpe:2.3:o:icewhale:casaos:0.2.5
-
cpe:2.3:o:icewhale:casaos:0.2.6
-
cpe:2.3:o:icewhale:casaos:0.2.7
-
cpe:2.3:o:icewhale:casaos:0.2.8
-
cpe:2.3:o:icewhale:casaos:0.2.9
-
cpe:2.3:o:icewhale:casaos:0.3.0
-
cpe:2.3:o:icewhale:casaos:0.3.1
-
cpe:2.3:o:icewhale:casaos:0.3.1.1
-
cpe:2.3:o:icewhale:casaos:0.3.2
-
cpe:2.3:o:icewhale:casaos:0.3.2.1
-
cpe:2.3:o:icewhale:casaos:0.3.3
-
cpe:2.3:o:icewhale:casaos:0.3.4
-
cpe:2.3:o:icewhale:casaos:0.3.5
-
cpe:2.3:o:icewhale:casaos:0.3.5.1
-
cpe:2.3:o:icewhale:casaos:0.3.6
-
cpe:2.3:o:icewhale:casaos:0.3.7
-
cpe:2.3:o:icewhale:casaos:0.3.7-1
-
cpe:2.3:o:icewhale:casaos:0.3.7.1
-
cpe:2.3:o:icewhale:casaos:0.3.8
-
cpe:2.3:o:icewhale:casaos:0.4.1
-
cpe:2.3:o:icewhale:casaos:0.4.2
-
cpe:2.3:o:icewhale:casaos:0.4.3
-
cpe:2.3:o:icewhale:casaos:0.4.3-1
-
cpe:2.3:o:icewhale:casaos:0.4.4
-
cpe:2.3:o:icewhale:casaos:0.4.4-1
-
cpe:2.3:o:icewhale:casaos:0.4.5
-
cpe:2.3:o:icewhale:casaos:0.4.6
-
cpe:2.3:o:icewhale:casaos:0.4.7