Critical severityNVD Advisory· Published Jul 2, 2025· Updated Apr 15, 2026

CVE-2025-34073

Description

An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check_output() in core/http.py, allowing injection of shell metacharacters. Exploitation does not require authentication and commands are executed with the privileges of the Maltrail process.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/stamparm/maltrail/issues/19146nvd
huntr.com/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87nvd
raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/http/maltrail_rce.rbnvd
vulncheck.com/advisories/stamparm-maltrail-rcenvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.052
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000