N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-48204

GHSA ID

GHSA-463c-jhp2-4mm7

EPSS Score

0.41808%

CWE

CWE-78

Published

5/21/2025

Updated

5/21/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-48204

CVE-2025-48204: The Backup Plus extension for TYPO3 (ns_backup) allows command injections

The ns_backup extension through 13.0.0 for TYPO3 allows command injection when creating a backup. An authenticated backend user with access to the extensions backend module is required to exploit the vulnerability.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-48204

CVE-2025-48204:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-48204

GHSA ID

GHSA-463c-jhp2-4mm7

EPSS Score

0.41808%

CWE

CWE-78

Published

5/21/2025

Updated

5/21/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nitsan/ns-backup	composer	< 13.0.1	13.0.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an OS command injection in the ns_backup extension. I analyzed the provided commit patch (67b8102a19e8e516dc4228f5c42f9e4fba5046cb) which addresses this vulnerability.

There are two main vectors identified:

PHP Path Injection: The phpPath setting, configurable by an admin user, was used directly in an exec() call within NITSAN\NsBackup\Controller\BackupBaseController::generateBackup. If an attacker could set phpPath to a malicious string (e.g., '/usr/bin/php -r "system(\'id\');" #'), they could execute arbitrary commands. The functions NITSAN\NsBackup\Controller\BackupglobalController::createAction and NITSAN\NsBackup\Controller\BackupglobalController::updateAction were responsible for saving this setting without proper validation.
Argument Injection via Backup Name: The backupName parameter, taken from user input in NITSAN\NsBackup\Controller\BackupsController::backuprestoreAction, was used in NITSAN\NsBackup\Controller\BackupBaseController::getPhpbuBackup to construct a JSON configuration file for the phpbu.phar tool. This backupName was embedded into the JSON string without proper escaping, allowing an attacker to inject special characters to break the JSON structure and potentially inject malicious arguments into the phpbu.phar command line.

The patch addresses these by:

Adding is_executable() checks for phpPath in BackupglobalController (create/update actions) and BackupBaseController::generateBackup.
Adding sanitization for the backupName input in BackupsController::backuprestoreAction to prevent injection into the JSON generated by getPhpbuBackup.

The identified vulnerable functions are those directly involved in the exec() call, the unsafe construction of the JSON configuration, or the processing of the unsanitized user inputs that lead to these conditions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-48204: The Backup Plus extension for TYPO3 (ns_backup) allows command injections

CVE-2025-48204:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2025-48204: The Backup Plus extension for TYPO3 (ns_backup) allows command injections

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI