A critical vulnerability in the popular file-sharing tool ZendTo allows authenticated users to traverse system paths and access or modify sensitive files belonging to other users.
The flaw, tracked as CVE-2025-34508, affects ZendTo versions 6.15-7 and earlier. An attacker can exploit this issue to read server logs, user data, or even critical application files.
ZendTo released a patch in version 6.15-8, and administrators are urged to update immediately to prevent unauthorized access.
How the Path Traversal Occurs
ZendTo is built to let users drop off and pick up large files through a secure web interface. When files are uploaded, the application uses two key parameters: chunkName and tmp_name.
| CVE ID | Affected Versions | Vulnerability Type | Impact | Patch Version |
| CVE-2025-34508 | 6.15-7 and earlier | Path traversal | Unauthorized file access and modification | 6.15-8 |
Normally, chunkName is created by client-side scripts and cleaned to allow only letters and numbers. However, if chunkName has no alphanumeric characters, the code falls back to the base upload directory.
Next, ZendTo combines tmp_name with the upload directory path without proper sanitization.
By supplying a specially crafted tmp_name such as /../../log/zendto/zendto.log, an attacker can move arbitrary files from the server into their personal dropoff.
This relocation reveals the contents when the attacker downloads the dropoff package. In default setups, any file accessible by the web server user is at risk, including uploaded files, logs, and configuration data.
In a proof of concept, a researcher used a chunkName of . and tmp_name of /../../log/zendto/zendto.log. This resulted in the server moving its own log file into the dropoff directory.
The attacker then downloaded the logfile, which contained internal identifiers that grant access to all other dropoff data. With these identifiers, an attacker can systematically retrieve every file ever uploaded by legitimate users.
Beyond data theft, an attacker could target the ZendTo database or core software files. Removing or corrupting these would render the service unusable, causing a denial-of-service condition.
This case underscores that even vulnerabilities requiring valid login can be powerful when path validation is weak.
ZendTo addressed CVE-2025-34508 in version 6.15-8. Administrators should upgrade without delay.
Users who cannot immediately update can implement a temporary mitigation by restricting file system permissions so the web server user cannot read or move files outside its intended directory.
Monitoring server logs for suspicious dropoff activity is also advised. Application owners should adopt a defense-in-depth approach. Always validate and sanitize user inputs on both client and server sides.
Employ security frameworks that enforce strict path normalization. Regularly review and test file upload and download logic for path traversal and related issues.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Source link
