CVE-2025-50688

MEDIUM EPSS 90.8%

Published Aug 5, 202510mo ago · Modified Jun 17, 20261w ago

6.5 CVSS 3.1

Medium

Published Aug 5, 2025 10mo ago

Last Modified Jun 17, 2026 1w ago

Description

A command injection vulnerability exists in TwistedWeb (version 14.0.0) due to improper input sanitization in the file upload functionality. An attacker can exploit this vulnerability by sending a specially crafted HTTP PUT request to upload a malicious file (e.g., a reverse shell script). Once uploaded, the attacker can trigger the execution of arbitrary commands on the target system, allowing for remote code execution. This could lead to escalation of privileges depending on the privileges of the web server process. The attack does not require physical access and can be conducted remotely, posing a significant risk to the confidentiality and integrity of the system.

CVSS Details

Base Score

6.5

Exploitability

3.9

Impact

2.5

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

90.8% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-77 Command Injection Injection

Affected Products 1

Vendor	Product	Version	Range
twistedmatrix	twistedweb	14.0.0	any

References 2

medium.com https://medium.com/@Justinsecure/chained-rce-on-twistedweb-14-0-0-via-command-injection-and-unauthenticated-put-1aa657995b4e

ExploitThird Party Advisory
twisted.org https://twisted.org/documents/14.0.0/index.html

Product

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.