Calibre Web 0.6.24 & Autocaliweb 0.7.0 - Blind C

CVE-2025-7404 describes a blind OS command injection vulnerability in Calibre Web version 0.6.24 (Nicolette) and Autocaliweb versions from 0.7.0 before 0.7.1. The root cause is that the /admin/ajaxconfig endpoint accepts user-supplied input for the config_rarfile_location parameter without proper validation. This path is then passed to the check_unrar() helper function, which directly uses it in a subprocess call via process_wait() and process_open(), allowing arbitrary binary execution [1][4].

Exploitation

An attacker must be authenticated as an administrator to reach the vulnerable endpoint. By sending a POST request with a malicious path (e.g., /sbin/reboot or /bin/bash), the server will execute the binary without any arguments. While arguments cannot be appended, the binary runs with the full privileges of the server process, leading to immediate system impact. This is a blind injection because the output of the command is not returned to the attacker [4].

Impact

A successful attack achieves arbitrary code execution at the server level. Although exfiltration of data is limited due to the lack of output, an attacker can trigger system commands like rebooting the server, launching interactive shells (if a terminal is attached), or running any other available binary. This compromises system integrity and availability, and severely impacts overall security [1][4].

Mitigation

For Calibre Web, upgrading to a patched version (later than 0.6.24) is recommended. For Autocaliweb, users should upgrade to version 0.7.1 or later. Both projects have addressed the vulnerability by implementing proper input validation and sanitization of the config_rarfile_location parameter. No workarounds are documented, and no CISA KEV listing has been observed as of publication date [2][3][4].