CVE-2025-34171: CWE-862 Missing Authorization in IceWhale Tech CasaOS
CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host.
AI Analysis
Technical Summary
CVE-2025-34171 was reserved on April 15, 2025, but later rejected by the assigning authority VulnCheck. The absence of any technical details, affected software versions, or exploit information suggests that this identifier does not correspond to a valid or confirmed vulnerability. The rejection status typically means that the reported issue was either invalid, a duplicate, or otherwise not qualifying as a security vulnerability. Without any CVSS score or patch information, there is no basis for assessing the threat or its characteristics. No indicators of compromise or exploitation in the wild have been reported. As such, this CVE entry does not represent an actionable security threat at this time.
Potential Impact
Given the rejection of CVE-2025-34171 and the lack of any technical or exploit data, there is no known impact on confidentiality, integrity, or availability. European organizations are not exposed to risk from this non-existent or invalid vulnerability. No disruption, data breach, or system compromise can be attributed to this CVE. Therefore, it does not pose any operational or security impact currently or foreseeably.
Mitigation Recommendations
Since CVE-2025-34171 is a rejected and unconfirmed vulnerability with no affected products or technical details, no specific mitigation steps are applicable. Organizations should continue standard security best practices, including timely patching of confirmed vulnerabilities and monitoring trusted vulnerability databases for updates. Security teams should disregard this CVE as a threat but maintain vigilance for any future advisories related to similar identifiers or products.
CVE-2025-34171: CWE-862 Missing Authorization in IceWhale Tech CasaOS
Description
CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host.
AI-Powered Analysis
Technical Analysis
CVE-2025-34171 was reserved on April 15, 2025, but later rejected by the assigning authority VulnCheck. The absence of any technical details, affected software versions, or exploit information suggests that this identifier does not correspond to a valid or confirmed vulnerability. The rejection status typically means that the reported issue was either invalid, a duplicate, or otherwise not qualifying as a security vulnerability. Without any CVSS score or patch information, there is no basis for assessing the threat or its characteristics. No indicators of compromise or exploitation in the wild have been reported. As such, this CVE entry does not represent an actionable security threat at this time.
Potential Impact
Given the rejection of CVE-2025-34171 and the lack of any technical or exploit data, there is no known impact on confidentiality, integrity, or availability. European organizations are not exposed to risk from this non-existent or invalid vulnerability. No disruption, data breach, or system compromise can be attributed to this CVE. Therefore, it does not pose any operational or security impact currently or foreseeably.
Mitigation Recommendations
Since CVE-2025-34171 is a rejected and unconfirmed vulnerability with no affected products or technical details, no specific mitigation steps are applicable. Organizations should continue standard security best practices, including timely patching of confirmed vulnerabilities and monitoring trusted vulnerability databases for updates. Security teams should disregard this CVE as a threat but maintain vigilance for any future advisories related to similar identifiers or products.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-04-15T19:15:22.567Z
- Cvss Version
- null
- State
- REJECTED
Threat ID: 6957f5dddb813ff03ef50c96
Added to database: 1/2/2026, 4:44:13 PM
Last enriched: 1/2/2026, 11:32:57 PM
Last updated: 1/7/2026, 4:13:29 AM
Views: 22
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-20893: Origin validation error in Fujitsu Client Computing Limited Fujitsu Security Solution AuthConductor Client Basic V2
HighCVE-2025-14891: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ivole Customer Reviews for WooCommerce
MediumCVE-2025-14059: CWE-73 External Control of File Name or Path in roxnor EmailKit – Email Customizer for WooCommerce & WP
MediumCVE-2025-12648: CWE-552 Files or Directories Accessible to External Parties in cbutlerjr WP-Members Membership Plugin
MediumCVE-2025-14631: CWE-476 NULL Pointer Dereference in TP-Link Systems Inc. Archer BE400
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.