← Back to CVEs
CVE-2025-53927
MEDIUM4.6
Description
MaxKB is an open-source AI assistant for enterprise. Prior to version 2.0.0, the sandbox design rules can be bypassed because MaxKB only restricts the execution permissions of files in a specific directory. Therefore, an attacker can use the `shutil.copy2` method in Python to copy the command they want to execute to the executable directory. This bypasses directory restrictions and reverse shell. Version 2.0.0 fixes the issue.
CVE Details
CVSS v3.1 Score4.6
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredLOW
User InteractionREQUIRED
Published7/17/2025
Last Modified8/2/2025
Sourcenvd
Honeypot Sightings0
Affected Products
maxkb:maxkb
Weaknesses (CWE)
CWE-94
References
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.0.0(security-advisories@github.com)
https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-5xhm-4j3v-87m4(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.