CNNVD-202512-4082 Information
CNNVD ID
CNNVD-202512-4082
Related CVE
- CNNVD Published: 2025-12-23
Description (Chinese)
DreamFactory Core是DreamFactory Software开源的一个DreamFactory的核心服务。 DreamFactory Core存在操作系统命令注入漏洞,该漏洞源于saveZipFile方法实现中缺乏对用户提供字符串的验证,可能导致命令注入和远程代码执行。
Description (English)
DreamFactory Core is the core service of DreamFactory Software, an open source. DreamFactory Core has an operational system command leak, which stems from the lack of string validation for users in the implementation of the saveZipFile method, which may lead to command injection and remote code execution.
Hazard Level
Medium
Vulnerability Type
操作系统命令注入
Affected Vendor
DreamFactory Software
Published
2025-12-23
Last Modified
2026-02-24
References
https://github.com/dreamfactorysoftware/df-core/commit/404a1783927f95999c71a0ff8f14130d385087fb https://www.zerodayinitiative.com/advisories/ZDI-25-1024/
Patch
https://github.com/dreamfactorysoftware/df-core/commit/404a1783927f95999c71a0ff8f14130d385087fb
Share on: