CVE-2025-10009 - Vulnerability Details - OpenCVE

Incorrect handling of uploaded files in the admin "Restore" function in Invoice Ninja <= 5.11.72 allows attackers with admin credentials to execute arbitrary code on the server via uploaded .php files.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Fixes

Solution

Update Invoice Ninja to 5.11.73 or newer.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/invoiceninja/invoiceninja/commit/02151b570b226b4584a8e61b06b10be9366da3de

History

Mon, 22 Sep 2025 09:45:00 +0000

Type	Values Removed	Values Added
Description		Incorrect handling of uploaded files in the admin "Restore" function in Invoice Ninja <= 5.11.72 allows attackers with admin credentials to execute arbitrary code on the server via uploaded .php files.
Title		Authenticated admin RCE in Invoice Ninja
Weaknesses		CWE-434
References		https://github.com/invoiceninja/invoiceninja/commit/02151b570b226b4584a8e61b06b10be9366da3de
Metrics		cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}`

MITRE

Status: PUBLISHED

Assigner: NCSC-FI

Published: 2025-09-22T09:20:03.168Z

Updated: 2025-09-22T09:20:03.168Z

Reserved: 2025-09-05T05:44:46.601Z

Link: CVE-2025-10009

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-10009", "assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "state": "PUBLISHED", "assignerShortName": "NCSC-FI", "dateReserved": "2025-09-05T05:44:46.601Z", "datePublished": "2025-09-22T09:20:03.168Z", "dateUpdated": "2025-09-22T09:20:03.168Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/invoiceninja/invoiceninja", "defaultStatus": "unaffected", "modules": ["Admin \"Restore\" function"], "packageName": "invoiceninja", "platforms": ["Linux", "Windows", "64 bit"], "product": "Invoice Ninja 5", "programFiles": ["https://github.com/invoiceninja/invoiceninja/blob/v5.11.72/app/Http/Controllers/ImportJsonController.php"], "repo": "https://github.com/invoiceninja/invoiceninja", "vendor": "Invoice Ninja", "versions": [{"lessThanOrEqual": "5.11.72", "status": "affected", "version": "5.11.41", "versionType": "custom"}, {"lessThanOrEqual": "*", "status": "unaffected", "version": "5.11.73", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "lassi"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect handling of uploaded files in the admin \"Restore\" function in Invoice Ninja <= 5.11.72 allows attackers with admin credentials to execute arbitrary code on the server via uploaded .php files."}], "value": "Incorrect handling of uploaded files in the admin \"Restore\" function in Invoice Ninja <= 5.11.72 allows attackers with admin credentials to execute arbitrary code on the server via uploaded .php files."}], "impacts": [{"capecId": "CAPEC-175", "descriptions": [{"lang": "en", "value": "CAPEC-175 Code Inclusion"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.6, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "shortName": "NCSC-FI", "dateUpdated": "2025-09-22T09:20:03.168Z"}, "references": [{"url": "https://github.com/invoiceninja/invoiceninja/commit/02151b570b226b4584a8e61b06b10be9366da3de"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update Invoice Ninja to 5.11.73 or newer."}], "value": "Update Invoice Ninja to 5.11.73 or newer."}], "source": {"discovery": "UNKNOWN"}, "tags": ["x_open-source"], "title": "Authenticated admin RCE in Invoice Ninja", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}