CVE-2025-50464

A buffer overflow vulnerability exists in the upload.cgi module of the iptime NAS firmware v1.5.04. The vulnerability arises due to the unsafe use of the strcpy function to copy attacker-controlled data from the CONTENT_TYPE HTTP header into a fixed-size stack buffer (v8, allocated 8 bytes) without bounds checking. Since this operation occurs before authentication logic is executed, the vulnerability is exploitable pre-authentication.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lafdrew/IOT/blob/main/iptime_nas_1.5.04/Buffer-Overflow-in-upload-cgi-of-iptime-nas-1-5-04.md	Exploit Third Party Advisory
https://lafdrew.github.io/2025/04/25/Buffer-Overflow-in-upload-cgi-of-iptime-nas-1-5-04/	Broken Link

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:iptime:nas_firmware:1.5.04:*:*:*:*:*:*:*

cpe:2.3:h:iptime:nas:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-07-30 19:15

Updated : 2025-08-06 16:22

NVD link : CVE-2025-50464

Mitre link : CVE-2025-50464

CVE.ORG link : CVE-2025-50464

JSON object : View

Products Affected

iptime

nas_firmware
nas

CWE

CWE-121

Stack-based Buffer Overflow

{"id": "CVE-2025-50464", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2025-07-30T19:15:48.790", "references": [{"url": "https://github.com/lafdrew/IOT/blob/main/iptime_nas_1.5.04/Buffer-Overflow-in-upload-cgi-of-iptime-nas-1-5-04.md", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://lafdrew.github.io/2025/04/25/Buffer-Overflow-in-upload-cgi-of-iptime-nas-1-5-04/", "tags": ["Broken Link"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "A buffer overflow vulnerability exists in the upload.cgi module of the iptime NAS firmware v1.5.04. The vulnerability arises due to the unsafe use of the strcpy function to copy attacker-controlled data from the CONTENT_TYPE HTTP header into a fixed-size stack buffer (v8, allocated 8 bytes) without bounds checking. Since this operation occurs before authentication logic is executed, the vulnerability is exploitable pre-authentication."}, {"lang": "es", "value": "Existe una vulnerabilidad de desbordamiento de b\u00fafer en el m\u00f3dulo upload.cgi de iptime NAS firmware v1.5.04. Esta vulnerabilidad surge debido al uso inseguro de la funci\u00f3n strcpy para copiar datos controlados por el atacante desde el encabezado HTTP CONTENT_TYPE a un b\u00fafer de pila de tama\u00f1o fijo (v8, asignado a 8 bytes) sin verificaci\u00f3n de los l\u00edmites. Dado que esta operaci\u00f3n ocurre antes de que se ejecute la l\u00f3gica de autenticaci\u00f3n, la vulnerabilidad es explotable antes de la autenticaci\u00f3n."}], "lastModified": "2025-08-06T16:22:29.850", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:iptime:nas_firmware:1.5.04:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "893BBCAF-A24B-4FFD-A5A4-934139B32F33"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:iptime:nas:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "315FBE8A-8CAD-4DEB-9180-E3EB516C438A"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "[email protected]"}