Strix
26.1K

CVE-2025-24908

MEDIUMCVSS 6.8/10EPSS 0.40%

Last modified

CVE-2025-24908 is a medium-severity vulnerability rated 6.8/10 on the CVSS scale. Overview   The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. (CWE-35)   Description   Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the UploadFile service. EPSS estimates a 0.40% chance of exploitation in the next 30 days.

Description

Overview   The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. (CWE-35)   Description   Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the UploadFile service.   Impact   This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.

Metrics

CVSS 3.1
6.8/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

EPSS Probability
0.40%

32.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

References

Timeline

Published
Last Modified
Status
Deferred

Frequently Asked Questions

What is CVE-2025-24908?
Overview   The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. (CWE-35)   Description   Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the UploadFile service.   Impact   This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
How severe is CVE-2025-24908?
CVE-2025-24908 has a CVSS score of 6.8/10 (MEDIUM severity). The EPSS model estimates a 0.40% probability of exploitation in the next 30 days.
How do I fix CVE-2025-24908?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-24908?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST