CVE Vulnerabilities

CVE-2025-53392

Absolute Path Traversal

Published: Jun 28, 2025 | Modified: Jun 30, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
root.io minimus.io echohq.com

In Netgate pfSense CE 2.8.0, the WebCfg - Diagnostics: Command privilege allows reading arbitrary files via diag_command.php dlPath directory traversal. NOTE: the Suppliers perspective is that this is intended behavior for this privilege level, and that system administrators are informed through both the product documentation and UI.

Weakness

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as “/abs/path” that can resolve to a location that is outside of that directory.

References