A critical vulnerability in the popular file-sharing tool ZendTo allows authenticated users to traverse system paths and access or modify sensitive files belonging to other users.
Tracked as CVE-2025-34508, the flaw affects ZendTo versions 6.15-7 and earlier. An attacker can exploit this issue to read server logs, user data, or critical application files.
ZendTo released a patch in version 6.15-8, and administrators are urged to update immediately to prevent unauthorized access.
How the Path Traversal Occurs
ZendTo enables users to drop off and pick up large files through a secure web interface.
When files are uploaded, the application relies on two key parameters: chunkName and tmp_name.
Normally, chunkName is generated by client-side scripts and sanitized to include only letters and numbers.
However, if chunkName contains no alphanumeric characters, the code defaults to the base upload directory.
Next, ZendTo concatenates tmp_name with the upload directory path without proper sanitization.
By supplying a specially crafted tmp_name, such as /../../log/zendto/zendto.log, an attacker can move arbitrary files from the server into their personal dropoff.
This relocation reveals the contents when the attacker downloads the dropoff package.
In default setups, any file accessible by the web server user is at risk, including uploaded files, logs, and configuration data.
CVE Details
| CVE ID | Affected Versions | Vulnerability Type | Impact | Patch Version |
|---|---|---|---|---|
| CVE-2025-34508 | 6.15-7 and earlier | Path traversal | Unauthorized file access and modification | 6.15-8 |
Proof of Concept and Impact
In a proof of concept, a researcher used a chunkName of . and tmp_name of /../../log/zendto/zendto.log.
The server moved its own log file into the dropoff directory.
The attacker then downloaded the logfile, which contained internal identifiers granting access to all other dropoff data.
With these identifiers, an attacker could systematically retrieve every file ever uploaded by legitimate users.
Beyond data theft, an attacker could target the ZendTo database or core software files.
Removing or corrupting these files would render the service unusable, causing a denial-of-service condition.
This incident underscores that even vulnerabilities requiring a valid login can be powerful when path validation is weak.
Attackers with legitimate credentials gain the ability to probe and manipulate sensitive assets, amplifying the risk far beyond typical account misuse.
ZendTo addressed CVE-2025-34508 in version 6.15-8. Administrators should upgrade without delay.
Users who cannot immediately update can implement a temporary mitigation by restricting filesystem permissions so the web server user cannot read or move files outside its intended directory.
Monitoring server logs for suspicious drop-off activity is also advised.
Application owners should adopt a defense-in-depth approach. Always validate and sanitize user inputs on both client and server sides.
Employ security frameworks that enforce strict path normalization.
Regularly review and test file upload and download logic for path traversal and related issues.
By combining prompt patching, least-privilege permissions, and rigorous input validation, organizations can ensure ZendTo deployments remain secure against emerging threats.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=ZendTo released a patch in version 6.15-8, and administrators are urged to update immediately to prevent unauthorized access.){kind=link}