CVE CyberSecurity Database News

CVE-2025-27500 - Exploiting An Unauthenticated File Upload Vulnerability in OpenZiti Admin Panel

Poster -

OpenZiti is a popular free and open-source project that focuses on bringing zero trust networking to any application or environment. As the project gained users and contributors, security became even more important. In early 2025, a major vulnerability was discovered in the OpenZiti admin panel, tracked as CVE-2025-27500. This post will explain what the issue was, how it could be exploited, and what you can do to stay safe.

What is CVE-2025-27500?

CVE-2025-27500 is an authentication bypass vulnerability found in the OpenZiti admin panel, specifically on the /api/upload endpoint. This endpoint allowed an attacker to upload files without any form of authentication. Uploaded files were then accessible via direct URLs on the server.

The risk? If an attacker uploaded a malicious file—like a JavaScript program—visiting this file could execute code in the browser, causing a stored Cross-Site Scripting (XSS) attack.

Key Points

- Vulnerable Endpoint: /api/upload

How Did the Vulnerability Work?

The vulnerable code accepted any file over an HTTP POST and stored it, without checking who was making the request. Here’s a simple breakdown:

1. Unauthenticated POST: Anyone could send data to http://<ziti-admin-panel>/api/upload.

Public URL: The uploaded file could be accessed by anyone via a static URL.

4. XSS Risk: If the file was then opened in a browser, the attacker’s code would run within the user’s session.

Example (Python proof of concept)

import requests

url = "http://<ziti-admin-panel>/api/upload"
files = {'file': ('xss.html', '<script>alert("XSS")</script>', 'text/html')}
r = requests.post(url, files=files)
print(r.text)  # This will typically return info about the uploaded file

After upload, the URL to the file might look like

http://<ziti-admin-panel>/uploads/xss.html

Attacker tricks an admin or user into clicking the URL by email or chat.

4. If the admin visits the link, the malicious code runs in their browser, potentially hijacking their session, stealing cookies, or performing unwanted actions.

Why Was This Endpoint Dangerous?

File upload endpoints are very risky if not properly protected. If you do not require the user to be authenticated and do not sanitize the content, anyone can upload anything—including programs designed to hack your users or your server.

OpenZiti at one time supported this feature as part of its admin panel node app. However, as the project moved towards a single page application (SPA) with a static backend, this upload functionality became unnecessary and was disabled and removed.

Remediation & Fix

If you run OpenZiti, update to at least version 3.7.1!
This version disables the vulnerable endpoint completely.

- OpenZiti Release Notes
- OpenZiti GitHub

OpenZiti also recommends reviewing server logs for any suspicious activity on the /api/upload endpoint, especially if running a vulnerable version.

References

- GitHub Security Advisory: CVE-2025-27500
- OpenZiti Changelog
- What is Zero Trust? (OpenZiti Docs)

Summary

If you use OpenZiti's admin panel, make sure you're running version 3.7.1 or newer to stay protected against CVE-2025-27500. Never run outdated software, and always be wary of public file upload endpoints—especially those that aren’t protected by authentication.

For more details or concerns, check out the official GitHub repository or reach out to OpenZiti maintainers.

Timeline

Published on: 03/03/2025 19:15:36 UTC
Last modified on: 03/05/2025 20:30:38 UTC