CVE-2025-44163
Description
RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the entity parameter to overwrite arbitrary files writable by the web server via abuse of the tee command used in shell execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
RaspAP raspap-webgui 3.3.1 has a directory traversal in get_wgkey.php allowing authenticated attackers to overwrite arbitrary files via the entity parameter.
Vulnerability
Overview
CVE-2025-44163 is a directory traversal vulnerability in the RaspAP raspap-webgui version 3.3.1, specifically in the ajax/networking/get_wgkey.php endpoint [1][3]. The root cause is insufficient sanitization of the entity parameter in a POST request. When the parameter value is passed to a shell command that uses tee, an authenticated attacker can inject path traversal sequences (e.g., ../) to redirect output to arbitrary files outside the intended directory [2][4].
Exploitation
Conditions
Exploitation requires prior authentication to the RaspAP web interface [3]. An attacker can send a crafted POST request to the vulnerable endpoint, embedding a path traversal payload in the entity parameter. The lack of input escaping allows the attacker to control the file path written by the tee command [2]. The commit fix (eb53c46) introduced escapeshellarg() on the entity value, confirming that the parameter was previously passed unsanitized into shell execution [2].
Impact
An authenticated attacker can overwrite any file on the system that is writable by the web server process [3]. This could lead to privilege escalation, persistent backdoor installation, or disruption of the RaspAP service. Since RaspAP often runs with elevated privileges on network devices (e.g., Raspberry Pi) [1], overwriting configuration files or system binaries could have severe consequences.
Mitigation
Status
As of the publication date, a fix has been committed to the RaspAP repository, which uses escapeshellarg() to properly escape the entity parameter before shell execution [2]. Users should update to the latest version of raspap-webgui that includes this commit. No CVE mentions inclusion in CISA Known Exploited Vulnerabilities (KEV) catalog.
- GitHub - RaspAP/raspap-webgui: The easiest, full-featured wireless router setup for Debian-based devices. Period.
- fix: mitigate UUF vulnerability by escaping entity with escapeshellarg · RaspAP/raspap-webgui@eb53c46
- NVD - CVE-2025-44163
- raspap-webgui/ajax/networking/get_wgkey.php at 125ae7a39ad7c9a71250d3b3e349fd767687ff8d · RaspAP/raspap-webgui
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
billz/raspap-webguiPackagist | < 3.3.6 | 3.3.6 |
Affected products
2- RaspAP/raspap-webguidescription
- Range: = 3.3.1
Patches
1eb53c46c3363fix: mitigate UUF vulnerability by escaping entity with escapeshellarg
1 file changed · +1 −1
ajax/networking/get_wgkey.php+1 −1 modified@@ -5,7 +5,7 @@ require_once '../../includes/config.php'; require_once '../../includes/authenticate.php'; -$entity = escapeshellcmd($_POST['entity']); +$entity = escapeshellarg($_POST['entity']); if (isset($entity)) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-277f-37gw-9gmqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-44163ghsaADVISORY
- gist.github.com/YichaoXu/3694f039a3d1b973efd068e4dc662a41ghsaWEB
- github.com/RaspAP/raspap-webgui/blob/125ae7a39ad7c9a71250d3b3e349fd767687ff8d/ajax/networking/get_wgkey.phpghsaWEB
- github.com/RaspAP/raspap-webgui/commit/eb53c46c336384d78336b021adea94d9257e1d67ghsaWEB
News mentions
0No linked articles in our index yet.