CVE-2025-53534 – github.com/tnborg/panel
Package
Manager: go
Name: github.com/tnborg/panel
Vulnerable Version: >=2.3.19 <2.5.6 || >=0.0.0-20241111062800-91ecd04c2700 <0.0.0-20250707071915-4985eb2e1f38
Severity
Level: High
CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS: 0.00315 pctl0.54023
Details
RatPanel can perform remote command execution without authorization ### Summary * When an attacker obtains the backend login path of RatPanel (including but not limited to weak default paths, brute-force cracking, etc.), they can execute system commands or take over hosts managed by the panel **without logging in**. * In addition to this **remote code execution (RCE) vulnerability**, the flawed code also leads to **unauthorized access**. ### Details In Go, `r.URL.Path` retrieves the part of the URL that comes after the port and before the query parameters or anchor symbols. For example, in the URL `http://localhost:8080/api/ws/ssh?id=1`, the retrieved path would be `/api/ws/ssh`. However, if the request is made to `http://localhost:8080//api/ws/ssh?id=1`, the parsed `r.URL.Path` would be `//api/ws/ssh`. RatPanel uses the `CleanPath` middleware provided by `github.com/go-chi/chi` package to clean URLs, The route path inside the chi router will be cleaned to `/api/ws/ssh`, but this middleware does not process `r.URL.Path`, so the path is still `//api/ws/ssh`.  In the `must_login` middleware, RatPanel uses `r.URL.Path` to match the hard-coded prefix whitelist, because `/api/ws` does not match `//api/ws`. The `must_login` middleware will allow the request, but `//api/ws` has been cleaned to `/api/ws` in the chi router. This inconsistency leads to authentication bypass and accessing the dangerous interfaces such as `/api/ws/exec` and `/api/ws/ssh`.  But there are some limitations. Before exploiting this interface, the attacker must first identify the correct backend address of ratpanel to activate session legitimacy—specifically, to ensure `sess.Put("verify_entrance", true)`. That said, accessing `/api/ws` only requires activating the session and does not require completing further authentication or login steps. Therefore, this is assessed to be a remotely exploitable command execution vulnerability with moderate severity. ### PoC I first carried `session=......`, accessed the backend login page normally` (without completing the authentication process)`, activated the session, and then used the [_wsdump.py](https://github.com/websocket-client/websocket-client/blob/master/websocket/_wsdump.py) script provided by the Python websocket-client library to complete the authentication and exploit the vulnerability.    Because of the authorization code ```golang // internal/http/middleware/must_login.go if slices.Contains(whiteList, r.URL.Path) || !strings.HasPrefix(r.URL.Path, "/api") { next.ServeHTTP(w, r) return } ``` This vulnerability affects the authorization mechanism across all APIs, for example   This authentication vulnerability appears to affect versions **v2.3.19 to v2.5.5**. --- Data packet ```text GET //api/...... HTTP/2 Host: IP:PORT Cookie: session=XXXXXX Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/json; charset=UTF-8 Connection: close ``` ```cmd python _wsdump.py wss://ip:port//api/ws/exec --headers "Cookie: session=xxxxxx" -n ``` ### Impact Users running Ratpanel versions v2.3.19 to v2.5.5—especially those who have exposed their admin panel login URL or use weak login URL paths—are vulnerable to unauthorized access. Additionally, versions v2.5.1 to v2.5.5 are susceptible to server and hosted machine takeover.
Metadata
Created: 2025-08-04T20:46:32Z
Modified: 2025-08-06T14:12:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-fm3m-jrgm-5ppg/GHSA-fm3m-jrgm-5ppg.json
CWE IDs: ["CWE-22", "CWE-305", "CWE-436"]
Alternative ID: GHSA-fm3m-jrgm-5ppg
Finding: F184
Auto approve: 1