CVE-2025-55988: Path Traversal and Remote Code Execution in DreamFactory Core

DreamFactory Core v1.0.3 exposes a REST API interface that handles various internal and external service requests. The primary routing component for these requests is located within src/Http/Controllers/RestController.php. This controller is responsible for parsing incoming HTTP requests and dispatching them to the appropriate service handlers.

The controller extracts a resource parameter directly from the provided URI path. The application relies on this parameter to locate and invoke specific services, such as file management handlers or system scripting interpreters. Prior to the implemented fix, this input was passed to downstream functions without validation.

This architecture introduces a Path Traversal vulnerability (CWE-22). An unauthenticated remote attacker can supply directory traversal sequences within the URI. Because the application processes the path without bounding it to the intended web root, the attacker can access the underlying operating system filesystem and interact with unauthorized components.

The root cause of the vulnerability exists in the handleServiceRequest method. When an HTTP request is received, the method isolates the requested resource identifier from the URI. The application logic expects this identifier to map to an explicitly defined service or a specific file within a restricted service directory.

Instead of canonicalizing the requested path using filesystem-level functions, the application processes the string linearly. It appends the user-controlled resource string to the base directory path of the invoked service. If the appended string contains ../ sequences, the operating system's filesystem driver resolves these sequences by navigating upward in the directory tree.

The application lacks a strict bounding mechanism. It does not verify that the fully resolved absolute path remains a child of the intended base directory. This architectural omission allows the requested path to escape the restricted directory structure entirely.

The vendor attempted to mitigate the path traversal vulnerability in commit 54354605b2ec9afe6ee96756a5a22f6f56828950. The implemented solution relies on string replacement to remove standard directory traversal patterns from the user input.

The patch introduces the following logic into src/Http/Controllers/RestController.php:

// File: src/Http/Controllers/RestController.php
if (!empty($resource)) {
    $resource = str_replace(['..'], '', $resource);
    // Downstream service execution continues
}

This mitigation is technically insufficient due to its non-recursive implementation. The str_replace function performs a single pass over the input string. When an attacker provides a nested sequence such as ....//, the function targets the inner .. characters. Upon removal, the surrounding characters collapse to form a valid ../ sequence, successfully bypassing the filter.

Furthermore, the filter operates strictly on the literal .. string. It does not account for URL-encoded variations such as %2e%2e%2f or %2e%2e%5c. It also fails to normalize path separators, meaning backslashes (\) remain valid traversal operators on Windows-based deployments. This leaves the core vulnerability entirely exploitable.

Exploitation of CVE-2025-55988 requires the attacker to transmit a crafted HTTP GET request to the exposed DreamFactory REST API endpoint. The attack does not require authentication or specific prerequisite configurations. The payload is embedded directly within the URI path.

The attacker constructs the payload using the nested sequence technique to bypass the single-pass str_replace filter. A sequence of ....// is interpreted by the server filter, which removes the internal dots, resulting in ../. The attacker repeats this sequence sufficiently to navigate to the root directory of the host file system.

The following Nuclei template demonstrates the exploit structure used to verify arbitrary file read capabilities. It targets standard operating system files on both Unix and Windows environments to confirm traversal execution:

id: CVE-2025-55988-Detection
info:
  name: DreamFactory Core v1.0.3 RCE via Path Traversal
  severity: critical
requests:
  - method: GET
    path:
      - "{{BaseURL}}/api/v2/system/....//....//....//etc/passwd"
      - "{{BaseURL}}/api/v2/system/....//....//....//windows/win.ini"
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"
          - "\\[extensions\\]"

To escalate this arbitrary file read to remote code execution, the attacker targets writable configuration files, log directories, or exposed script services. By overwriting a critical application configuration file or invoking an internal scripting engine with a malicious payload, the attacker forces the application to execute arbitrary commands.

The exploitation of CVE-2025-55988 results in a critical compromise of the host system. The vulnerability fundamentally breaks the security boundary between the web application context and the underlying operating system. The initial impact is total loss of confidentiality regarding files accessible to the web server process.

Attackers utilize the file read capability to extract sensitive information, including environment variables, database credentials, cryptographic keys, and user session tokens. This data facilitates horizontal movement across the network and direct access to connected backend infrastructure.

The integrity and availability of the system are compromised when the vulnerability is escalated to remote code execution. Attackers achieve execution privileges equivalent to the user account running the web server. From this position, they can alter application logic, deploy persistent backdoors, or pivot to internal network segments.

The vulnerability maps directly to multiple MITRE ATT&CK tactics, including Exploitation of Remote Services (T1210) and Command and Scripting Interpreter execution (T1059.003, T1059.004). While not currently listed in the CISA Known Exploited Vulnerabilities catalog, public disclosure of the exploit mechanics increases the likelihood of widespread scanning and exploitation.

Administrators must upgrade DreamFactory Core to a secure release version exceeding 1.0.3. The official patch must implement strict path canonicalization rather than pattern blocklisting. Secure path resolution requires the application to resolve all symbolic links and relative references before performing boundary checks.

Developers must utilize native filesystem functions such as realpath() to generate the absolute path of the requested resource. Following canonicalization, the application must verify that the resulting path begins explicitly with the intended base directory using a strict string prefix comparison (strpos($resolvedPath, $basePath) === 0).

Organizations unable to apply immediate updates should deploy Web Application Firewall (WAF) rules to inspect incoming URI paths. The WAF must be configured to block requests containing nested traversal sequences (....//), double URL encoding (%252e%252e%252f), and anomalous backslash characters in path segments.

System administrators must enforce the principle of least privilege for the web server service account. Restricting filesystem read and write permissions to only strictly necessary application directories limits the operational impact of a successful directory traversal attack.