CVE-2025-55149 – tiny-scientist

Package

Manager: pip
Name: tiny-scientist
Vulnerable Version: >=0 <=1.1.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

EPSS: 0.00066 pctl0.20776

Details

TinyScientist has Path Traversal Vulnerability in PDF Review Function (CWE-22) ## Description A critical path traversal vulnerability (CWE-22) has been identified in the `review_paper` function in `backend/app.py`. The vulnerability allows malicious users to access arbitrary PDF files on the server by providing crafted file paths that bypass the intended security restrictions. ## Impact This vulnerability allows attackers to: - Read any PDF file accessible to the server process - Potentially access sensitive documents outside the intended directory - Perform reconnaissance on the server's file system structure ## Vulnerable Code The issue occurs in the `review_paper` function around line 744: ```python if pdf_path.startswith("/api/files/"): # Safe path handling for API routes relative_path = pdf_path[len("/api/files/"):] generated_base = os.path.join(project_root, "generated") absolute_pdf_path = os.path.join(generated_base, relative_path) else: absolute_pdf_path = pdf_path # VULNERABLE: Direct use of user input ``` ## Proof of Concept ```bash curl -X POST http://localhost:5000/api/review \ -H "Content-Type: application/json" \ -d '{"pdf_path": "/etc/passwd"}' ``` ## Credit This vulnerability was discovered and reported by Ruizhe.

Metadata

Created: 2025-08-11T13:38:14Z
Modified: 2025-08-11T13:38:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-rrgf-hcr9-jq6h/GHSA-rrgf-hcr9-jq6h.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-rrgf-hcr9-jq6h
Finding: F063
Auto approve: 1