← Retour aux CVEs
CVE-2025-53927
MEDIUM4.6
Description
MaxKB is an open-source AI assistant for enterprise. Prior to version 2.0.0, the sandbox design rules can be bypassed because MaxKB only restricts the execution permissions of files in a specific directory. Therefore, an attacker can use the `shutil.copy2` method in Python to copy the command they want to execute to the executable directory. This bypasses directory restrictions and reverse shell. Version 2.0.0 fixes the issue.
Details CVE
Score CVSS v3.14.6
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
Vecteur d'attaqueNETWORK
ComplexiteHIGH
Privileges requisLOW
Interaction utilisateurREQUIRED
Publie7/17/2025
Derniere modification8/2/2025
Sourcenvd
Observations honeypot0
Produits affectes
maxkb:maxkb
Faiblesses (CWE)
CWE-94
References
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.0.0(security-advisories@github.com)
https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-5xhm-4j3v-87m4(security-advisories@github.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.