{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-53927", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-07-14T17:23:35.259Z", "datePublished": "2025-07-17T13:50:18.268Z", "dateUpdated": "2025-07-17T19:56:23.111Z"}, "containers": {"cna": {"title": "MaxKB sandbox bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-5xhm-4j3v-87m4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-5xhm-4j3v-87m4"}, {"name": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.0.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.0.0"}], "affected": [{"vendor": "1Panel-dev", "product": "MaxKB", "versions": [{"version": "< 2.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-17T13:50:18.268Z"}, "descriptions": [{"lang": "en", "value": "MaxKB is an open-source AI assistant for enterprise. Prior to version 2.0.0, the sandbox design rules can be bypassed because MaxKB only restricts the execution permissions of files in a specific directory. Therefore, an attacker can use the `shutil.copy2` method in Python to copy the command they want to execute to the executable directory. This bypasses directory restrictions and reverse shell. Version 2.0.0 fixes the issue."}], "source": {"advisory": "GHSA-5xhm-4j3v-87m4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-17T19:55:44.985730Z", "id": "CVE-2025-53927", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-17T19:56:23.111Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-53927", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-17T19:55:44.985730Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-17T19:55:48.900Z"}}], "cna": {"title": "MaxKB sandbox bypass", "source": {"advisory": "GHSA-5xhm-4j3v-87m4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "1Panel-dev", "product": "MaxKB", "versions": [{"status": "affected", "version": "< 2.0.0"}]}], "references": [{"url": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-5xhm-4j3v-87m4", "name": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-5xhm-4j3v-87m4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.0.0", "name": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.0.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MaxKB is an open-source AI assistant for enterprise. Prior to version 2.0.0, the sandbox design rules can be bypassed because MaxKB only restricts the execution permissions of files in a specific directory. Therefore, an attacker can use the `shutil.copy2` method in Python to copy the command they want to execute to the executable directory. This bypasses directory restrictions and reverse shell. Version 2.0.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-17T13:50:18.268Z"}}}, "cveMetadata": {"cveId": "CVE-2025-53927", "state": "PUBLISHED", "dateUpdated": "2025-07-17T19:56:23.111Z", "dateReserved": "2025-07-14T17:23:35.259Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-17T13:50:18.268Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:maxkb:maxkb:*:*:*:*:lts:*:*:*", "matchCriteriaId": "2F17581A-45A6-42F7-99F1-5F37BCCA13F3", "versionEndExcluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MaxKB is an open-source AI assistant for enterprise. Prior to version 2.0.0, the sandbox design rules can be bypassed because MaxKB only restricts the execution permissions of files in a specific directory. Therefore, an attacker can use the `shutil.copy2` method in Python to copy the command they want to execute to the executable directory. This bypasses directory restrictions and reverse shell. Version 2.0.0 fixes the issue."}, {"lang": "es", "value": "MaxKB es un asistente de IA de c\u00f3digo abierto para empresas. Antes de la versi\u00f3n 2.0.0, las reglas de dise\u00f1o de la sandbox no se pod\u00edan eludir, ya que MaxKB solo restring\u00eda los permisos de ejecuci\u00f3n de los archivos en un directorio espec\u00edfico. Por lo tanto, un atacante pod\u00eda usar el m\u00e9todo `shutil.copy2` en Python para copiar el comando que desea ejecutar al directorio ejecutable. Esto elude las restricciones de directorio y el shell inverso. La versi\u00f3n 2.0.0 soluciona este problema."}], "id": "CVE-2025-53927", "lastModified": "2025-08-02T01:34:28.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 3.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-07-17T14:15:32.403", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.0.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-5xhm-4j3v-87m4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}