High severity7.5NVD Advisory· Published Feb 5, 2025· Updated Apr 15, 2026

CVE-2025-1025

Description

Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
cockpit-hq/cockpitPackagist	< 2.4.1	2.4.1

Patches

af86ab1d0f48

https://github.com/Cockpit-HQ/Cockpitvia osv

984ef9ad2703

add additional security check for uploading files

https://github.com/Cockpit-HQ/CockpitArtur HeinzeMar 17, 2023via ghsa

commit

2 files changed · +2 −2

modules/Assets/bootstrap.php+1 −1 modified

@@ -81,7 +81,7 @@
                 $_sizeAllowed = $max_size ? filesize($files['tmp_name'][$i]) < $max_size : true;
 
                 // prevent uploading php files
-                if ($_isAllowed && pathinfo($_file, PATHINFO_EXTENSION) === 'php') {
+                if ($_isAllowed && in_array(strtolower(pathinfo($_file, PATHINFO_EXTENSION)), ['php', 'phar', 'phtml'])) {
                     $_isAllowed = false;
                 }

modules/Finder/Controller/Finder.php+1 −1 modified

@@ -427,7 +427,7 @@ protected function _isFileTypeAllowed($file) {
 
         $allowed = trim($this->app->retrieve('finder.allowed_uploads', '*'));
 
-        if (strtolower(pathinfo($file, PATHINFO_EXTENSION)) == 'php' && !$this->helper('acl')->isSuperAdmin()) {
+        if (in_array(strtolower(pathinfo($file, PATHINFO_EXTENSION)), ['php', 'phar', 'phtml']) && !$this->helper('acl')->isSuperAdmin()) {
             return false;
         }

becca806c707

Prevent uploading php files in assets manager

https://github.com/Cockpit-HQ/CockpitArtur HeinzeMar 10, 2023via ghsa

commit

2 files changed · +9 −0

CHANGELOG.md+4 −0 modified

@@ -1,5 +1,9 @@
 # Release Notes
 
+## WIP
+
+- Prevent uploading php files in assets manager
+
 ## 2.4.0 (2023-03-08)
 
 - Add additional security check editing php files in finder

modules/Assets/bootstrap.php+5 −0 modified

@@ -80,6 +80,11 @@
                 $_isAllowed = $allowed === true ? true : preg_match("/\.({$allowed})$/i", $_file);
                 $_sizeAllowed = $max_size ? filesize($files['tmp_name'][$i]) < $max_size : true;
 
+                // prevent uploading php files
+                if ($_isAllowed && pathinfo($_file, PATHINFO_EXTENSION) === 'php') {
+                    $_isAllowed = false;
+                }
+
                 if (!$files['error'][$i] && $_isAllowed && $_sizeAllowed && move_uploaded_file($files['tmp_name'][$i], $_file)) {
 
                     $_files[]   = $_file;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.005
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000