Miggo Logo
Miggo Vulnerability Database
CVE-2025-10952

CVE-2025-10952: ml-logger file handler allows reading arbitrary files

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-10952
GHSA ID
GHSA-9x36-c74v-fgr6
EPSS Score
0.0719%
CWE
CWE-200
Published
9/25/2025
Updated
9/26/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ml-loggerpip<= 0.10.36

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the ml_logger/server.py file, specifically within the LoggingServer class. The analysis of the GitHub issue and the source code confirms that the stream_handler function is vulnerable to arbitrary file reading. The user-controlled key parameter is used to construct a file path without sufficient sanitization, leading to a path traversal vulnerability. An attacker can craft a request with a malicious key to access any file on the server's filesystem that the server process has read permissions for. The PoC provided in the GitHub issue (curl -X GET -H 'Content-Type: application/json' -d '{"key":"//proc/self/cmdline"}' http://127.0.0.1:8081/stream) clearly demonstrates this. Furthermore, the glob_handler function is also vulnerable in a similar way through the wd parameter, allowing an attacker to list files in arbitrary directories. The core of the issue is in the abs_path function, which fails to prevent path traversal. The identified functions, LoggingServer.stream_handler, LoggingServer.glob_handler, and LoggingServer.abs_path, would all appear in a runtime profile during exploitation of this vulnerability.

Vulnerable functions

LoggingServer.stream_handler
ml_logger/server.py
The function `stream_handler` takes a `key` from the user request via `req.json`. This `key` is then passed to `self.abs_path` to construct a file path. The `abs_path` function does not properly sanitize the input, allowing for a path traversal attack. An attacker can provide a malicious `key` (e.g., `//etc/passwd`) to read arbitrary files from the server's filesystem. The vulnerability is in the lack of input validation on the `key` parameter before it's used to construct a file path.
LoggingServer.glob_handler
ml_logger/server.py
The function `glob_handler` takes a `wd` (working directory) parameter from the user request. This `wd` is passed to `self.glob`, which in turn uses `self.abs_path` to resolve the path. Similar to `stream_handler`, there is no sanitization of the `wd` parameter, making it vulnerable to path traversal. An attacker can specify a malicious `wd` to list files in arbitrary directories on the server, which can be used in conjunction with the `stream_handler` vulnerability to first discover and then read sensitive files.
LoggingServer.abs_path
ml_logger/server.py
This function is called by `stream_handler` and `glob_handler` and is the root cause of the path traversal vulnerability. It attempts to construct an absolute path from the given `key`. If the `key` starts with a `/`, it joins it with the `root` directory. However, if the key is an absolute path itself (e.g., `//etc/passwd`), `os.path.join` will discard the `root` and return the absolute path, allowing an attacker to break out of the intended logging directory. The lack of validation for such absolute paths or traversal sequences (like `..`) is the core of the vulnerability.

WAF Protection Rules

WAF Rule

* s**urity *l*w **s ***n *is*ov*r** in **y*n* ml-lo***r up to ****************************************. *****t** *y t*is issu* is t** *un*tion str**m_**n*l*r o* t** *il* ml_lo***r/s*rv*r.py o* t** *ompon*nt *il* **n*l*r. P*r*ormin* m*nipul*tion o* t*

Reasoning

T** vuln*r**ility li*s in t** `ml_lo***r/s*rv*r.py` *il*, sp**i*i**lly wit*in t** `Lo**in*S*rv*r` *l*ss. T** *n*lysis o* t** *it*u* issu* *n* t** sour** *o** *on*irms t**t t** `str**m_**n*l*r` *un*tion is vuln*r**l* to *r*itr*ry *il* r***in*. T** us*