CVE-2025-66384
CVE-2025-66384 is a high-severity vulnerability with a CVSS 3.x base score of 8.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-684.
Key facts
- Severity: High (CVSS 3.x base score 8.2)
- EPSS exploit prediction: 0% (23rd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-199869
- Weakness: CWE-684
- Published:
- Last modified:
Description
app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name.
Frequently asked questions
- What is CVE-2025-66384?
- app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name.
- How severe is CVE-2025-66384?
- CVE-2025-66384 has a CVSS 3.x base score of 8.2, rated high severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is low, integrity high, and availability low.
- Is CVE-2025-66384 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (23rd percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-66384?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-66384 have an EU (EUVD) identifier?
- Yes. CVE-2025-66384 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-199869.
- When was CVE-2025-66384 published?
- CVE-2025-66384 was published on 2025-11-28 and last updated on 2026-06-17.
References
- https://github.com/MISP/MISP/compare/v2.5.23...v2.5.24
- https://github.com/misp/misp/commit/6867f0d3157a1959154bdad9ddac009dec6a19f5
Other CWE-684 vulnerabilities
- CVE-2024-50357 — Critical (CVSS 9.8): FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in…
- CVE-2024-6425 — Critical (CVSS 9.1): Incorrect Provision of Specified Functionality vulnerability in MESbook 20221021.03 version. An unauthenticated remote…
- CVE-2023-24845 — Critical (CVSS 9.1): A vulnerability has been identified in RUGGEDCOM i800, RUGGEDCOM i800NC, RUGGEDCOM i801, RUGGEDCOM i801NC, RUGGEDCOM…
- CVE-2023-4258 — High (CVSS 8.6): In Bluetooth mesh implementation If provisionee has a public key that is sent OOB then during provisioning it can be…
- CVE-2025-58325 — High (CVSS 8.2): An Incorrect Provision of Specified Functionality vulnerability [CWE-684] in FortiOS 7.6.0, 7.4.0 through 7.4.5, 7.2.5…
- CVE-2025-47227 — High (CVSS 7.5): In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), the Administrator password reset…