CVE-2020-25074
Description
The cache action in action/cache.py in MoinMoin through 1.9.10 allows directory traversal through a crafted HTTP request. An attacker who can upload attachments to the wiki can use this to achieve remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory traversal in MoinMoin's cache action (action/cache.py) through 1.9.10 allows an attacker with attachment upload privileges to achieve remote code execution.
Vulnerability
Description
CVE-2020-25074 is a directory traversal vulnerability discovered in the cache action within MoinMoin's action/cache.py file. The flaw affects all versions through MoinMoin 1.9.10. The root cause is insufficient sanitization of user-supplied input in the cache action, which processes HTTP requests to manage cached wiki content. By crafting a malicious HTTP request, an attacker can traverse directories outside the intended cache directory [1][2].
Exploitation
To exploit this vulnerability, an attacker must have the ability to upload attachments to the wiki. This is a standard feature in most MoinMoin installations, allowing authenticated users to attach files to pages. By combining a crafted HTTP request with a maliciously named attachment, the attacker can navigate the file system and write arbitrary files to arbitrary locations on the server. Network access to the wiki server is also a prerequisite, but the attack does not require any special privileges beyond the basic attachment upload permission [2][3].
Impact
Successful exploitation allows an attacker to write arbitrary files to the server's file system. By carefully placing files, such as a Python script or a configuration file, the attacker can achieve remote code execution. This could lead to full compromise of the web server and potentially the underlying system, depending on the web server's permissions and the wiki's environment [1][3].
Mitigation
The vulnerability has been fixed in MoinMoin version 1.9.11, released shortly after the disclosure. Users are strongly advised to upgrade to this version or later. The fix is included in the release notes and associated commits. There are no known workarounds for users unable to upgrade immediately, so applying the update is the only reliable mitigation [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moinPyPI | < 1.9.11 | 1.9.11 |
Affected products
3- MoinMoin/MoinMoindescription
- ghsa-coords2 versions
< 1.9.11+ 1 more
- (no CPE)range: < 1.9.11
- (no CPE)range: < 1.9.11-bp152.4.3.1
Patches
16b96a9060069Merge pull request from GHSA-52q8-877j-gghq
1 file changed · +20 −7
MoinMoin/action/cache.py+20 −7 modified@@ -103,6 +103,19 @@ def key(request, wikiname=None, itemname=None, attachname=None, content=None, se return key +def valid_key(key): + # make sure the key looks like keys generated by key() + if not isinstance(key, unicode): + # key is None (not given in url args) or something unexpected + return False + try: + int(key, 16) # try to evaluate as hex number + except ValueError: + # was not a hex number + return False + return len(key) == 40 # hmac-sha1 hexdigest == 40 hex chars + + def put(request, key, data, filename=None, content_type=None, @@ -234,14 +247,14 @@ def _do_remove(request, key): remove(request, key) -def _do(request, do, key): - if do == 'get': - _do_get(request, key) - elif do == 'remove': - _do_remove(request, key) - def execute(pagename, request): do = request.values.get('do') key = request.values.get('key') - _do(request, do, key) + valid = valid_key(key) # validate untrusted input + if valid and do == 'get': + _do_get(request, key) + elif valid and do == 'remove': + _do_remove(request, key) + else: + request.status_code = 404
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-52q8-877j-gghqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-25074ghsaADVISORY
- www.debian.org/security/2020/dsa-4787ghsavendor-advisoryx_refsource_DEBIANWEB
- moinmo.in/SecurityFixesghsax_refsource_MISCWEB
- github.com/moinwiki/moin-1.9/commit/6b96a9060069302996b5af47fd4a388fc80172b7ghsaWEB
- github.com/moinwiki/moin-1.9/security/advisories/GHSA-52q8-877j-gghqghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/moin/PYSEC-2020-67.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2020/11/msg00020.htmlghsamailing-listx_refsource_MLISTWEB
- pypi.org/project/moinghsaWEB
News mentions
0No linked articles in our index yet.