CVE-2025-35430 is a medium-severity path traversal vulnerability (CWE-22) found in CISA Thorium version 1.0.0. The vulnerability arises because the application does not properly validate or restrict the file paths used in its 'download_ephemeral' and 'download_children' functions. This improper limitation allows a remote attacker with authenticated access to manipulate the file path parameters to access arbitrary files on the underlying file system, constrained only by the file system permissions of the application process. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity. The scope is considered changed (S:C) because an attacker can potentially access files outside the intended directories, impacting the integrity of the system by unauthorized file access or disclosure of sensitive information. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N) indicates no confidentiality impact but a partial integrity impact and no availability impact. The vulnerability was fixed in version 1.1.2 of CISA Thorium. No known exploits are currently reported in the wild. The vulnerability requires the attacker to have some level of privileges (authenticated user) but does not require user interaction, making it a significant risk in environments where multiple users have access to the system. The lack of proper path validation could be exploited to read configuration files, source code, or other sensitive files that could aid further attacks or data leakage.

For European organizations using CISA Thorium 1.0.0, this vulnerability poses a risk of unauthorized file access by authenticated users, which could lead to exposure of sensitive configuration files, credentials, or intellectual property. Although the confidentiality impact is rated as none in the CVSS, in practical scenarios, access to arbitrary files can indirectly lead to confidentiality breaches if sensitive files are accessed. Integrity is impacted as attackers can potentially manipulate or read files that should be restricted, undermining trust in the system's data. This could affect sectors with strict data protection requirements such as finance, healthcare, and government agencies. The vulnerability could also facilitate lateral movement within networks if attackers gain access to critical files. Since the vulnerability requires authentication, the risk is higher in environments with weak access controls or where user accounts are shared or compromised. The medium severity suggests that while the threat is not critical, it should be addressed promptly to prevent escalation or exploitation in targeted attacks.

European organizations should immediately upgrade CISA Thorium to version 1.1.2 or later where the vulnerability is fixed. Until the upgrade is possible, organizations should restrict access to the affected functions ('download_ephemeral' and 'download_children') to trusted users only and implement strict access controls and monitoring on file system access. Employ application-layer firewalls or intrusion detection systems to detect anomalous file access patterns. Conduct thorough audits of user permissions and remove unnecessary privileges to minimize the risk of exploitation. Additionally, implement file integrity monitoring to detect unauthorized changes to critical files. Organizations should also review logs for suspicious activity related to file downloads and path manipulation attempts. Educating users about the risks of credential compromise and enforcing strong authentication mechanisms (e.g., multi-factor authentication) will reduce the likelihood of attackers gaining the required authenticated access to exploit this vulnerability.