bjrjk/LinuxASMCallGraph before commit 20dba06 allows attackers to cause a RCE on the server side via uploading a crafted ZIP file due to incorrect filtering rules of uploaded file
Description
LinuxASMCallGraph is software for drawing the call graph of the programming code. Linux ASMCallGraph before commit 20dba06bd1a3cf260612d4f21547c25002121cd5 allows attackers to cause a remote code execution on the server side via uploading a crafted ZIP file due to incorrect filtering rules of uploaded file. The problem has been patched in commit 20dba06bd1a3cf260612d4f21547c25002121cd5. There are no known workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LinuxASMCallGraph before commit 20dba06 allows remote code execution via uploading a crafted ZIP file due to insufficient file filtering.
Vulnerability
The vulnerability resides in the file upload functionality of LinuxASMCallGraph, a tool for drawing call graphs. Before commit 20dba06bd1a3cf260612d4f21547c25002121cd5, the application incorrectly filters uploaded ZIP files, allowing attackers to include malicious files (e.g., PHP scripts) that are extracted and executed on the server. The flaw exists in all versions prior to the fix. [1][2][4]
Exploitation
An attacker can upload a crafted ZIP file containing a PHP file (or other executable content) to the server. The application's filtering only checked for the presence of "php" in the unzip output, which could be bypassed by using different extensions or encoding. The attacker does not need authentication if the upload functionality is publicly accessible. The steps involve creating a ZIP with a malicious PHP file, uploading it, and then accessing the extracted file to trigger execution. [1][2][3]
Impact
Successful exploitation allows remote code execution on the server with the privileges of the web server process. The attacker can execute arbitrary commands, access or modify files, and potentially pivot to other systems. [2][4]
Mitigation
The vulnerability is patched in commit 20dba06bd1a3cf260612d4f21547c25002121cd5 (and later commit c6579e34581ac9cc9da683d73c8658bcfc75711a per the advisory). Users should upgrade to the latest version. There are no known workarounds. [3][4]
- Upload a crafted ZIP File will cause an arbitrary filesystem access
- Upload a crafted ZIP File will cause remote code execution
- Fixed Vulnerability · bjrjk/LinuxASMCallGraph@20dba06
- Repo before commit 20dba06 allows attackers to cause a RCE on the server side via uploading a crafted ZIP file due to incorrect filtering rules of uploaded file
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: < 20dba06bd1a3cf260612d4f21547c25002121cd5
- bjrjk/LinuxASMCallGraphv5Range: < 20dba06bd1a3cf260612d4f21547c25002121cd5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/bjrjk/LinuxASMCallGraph/commit/20dba06bd1a3cf260612d4f21547c25002121cd5mitrex_refsource_MISC
- github.com/bjrjk/LinuxASMCallGraph/issues/6mitrex_refsource_MISC
- github.com/bjrjk/LinuxASMCallGraph/issues/8mitrex_refsource_MISC
- github.com/bjrjk/LinuxASMCallGraph/security/advisories/GHSA-63c3-r9qm-c2wxmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.