CVE-2025-7895: Unrestricted File Upload in MoneyPrinterTurbo
This blog post details a critical security vulnerability, tracked as CVE-2025-7895, affecting MoneyPrinterTurbo versions up to 1.2.6. This flaw allows a low-privileged attacker to upload arbitrary files, potentially leading to remote code execution and full system compromise.
Vulnerability Details
- CVE ID: CVE-2025-7895
- Description: MoneyPrinterTurbo, up to version 1.2.6, contains an unrestricted file upload vulnerability in the
upload_bgm_filefunction located inapp/controllers/v1/video.py. By manipulating the 'File' argument, an authenticated attacker can upload malicious files without proper validation, leading to potential system compromise. - CVSS Score: 6.3 (Medium)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- CVSS Explanation:
- AV:N (Network): The vulnerability can be exploited over the network.
- AC:L (Low): No special conditions or mitigating factors are required for exploitation.
- PR:L (Low): The attacker needs low-level privileges to exploit the vulnerability.
- UI:N (None): No user interaction is required to trigger the vulnerability.
- S:U (Unchanged): An exploited vulnerability cannot affect resources beyond its security scope.
- C:L (Low): There is limited information disclosure.
- I:L (Low): There is limited data modification.
- A:L (Low): There is limited disruption of services.
- Exploit Requirements: An attacker needs to have a valid user account with low privileges to exploit this vulnerability.
- Affected Vendor: harry0703
- Affected Product: MoneyPrinterTurbo
- Affected Version: Up to 1.2.6
- CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type
Timeline of Events
- 2025-07-20: Vulnerability reported to VulDB.
- 2025-07-20: CVE-2025-7895 assigned.
Exploitability & Real-World Risk
This vulnerability is relatively easy to exploit, as it requires only a valid user account and the ability to upload files. In a real-world scenario, an attacker could upload a malicious script (e.g., PHP, Python) and execute it on the server, potentially gaining complete control of the system. The impact of this vulnerability can be significant, potentially leading to data theft, service disruption, or complete system compromise.
Recommendations
- Patch: Upgrade MoneyPrinterTurbo to a version beyond 1.2.6, if a patch is available. Check the vendor's website for updates.
- Input Validation: Implement strict input validation on the server side to prevent the upload of dangerous file types.
- File Extension Whitelisting: Only allow the upload of specific, safe file extensions.
- Disable Execution: Ensure that uploaded files cannot be executed by the web server. Configure the server to treat the upload directory as a static file directory.
Technical Insight
The vulnerability lies in the lack of proper validation of the uploaded file type. The upload_bgm_file function does not adequately check the file extension or content type, allowing an attacker to upload arbitrary files, such as executable scripts, and potentially gain remote code execution.
Credit to Researcher(s)
This vulnerability was reported to VulDB.
References
Tags
CVE, Vulnerability, File Upload, Remote Code Execution, MoneyPrinterTurbo, Security
Summary: A critical file upload vulnerability (CVE-2025-7895) has been discovered in MoneyPrinterTurbo versions up to 1.2.6, allowing authenticated attackers to upload arbitrary files and potentially execute code on the server. Users are advised to update to a patched version or implement mitigation measures to prevent exploitation.
CVE ID: CVE-2025-7895
Risk Analysis: Successful exploitation of this vulnerability could allow an attacker to gain control of the server, leading to data theft, service disruption, or complete system compromise.
Recommendation: Upgrade MoneyPrinterTurbo to a patched version or implement file type validation and restrictions on the server.
Timeline
- 2025-07-20: Vulnerability reported and CVE-2025-7895 assigned.