CVE-2025-67004 describes an information disclosure vulnerability affecting CouchCMS version 2.4. The issue involves an authenticated administrator being able to exploit directory traversal (CWE-22) to read arbitrary files on the web server by navigating back through directories beyond the intended scope. This can lead to exposure of sensitive files such as source code, configuration files, or other confidential data. The vulnerability is classified with a CVSS 3.1 base score of 6.5, reflecting medium severity, with attack vector being network-based, requiring low attack complexity and privileges of an admin user, and no user interaction. The scope remains unchanged, and the impact is high on confidentiality but none on integrity or availability. However, the vulnerability's existence is disputed by community feedback suggesting that if files are accessible via such traversal, it may be due to improper web server configuration rather than a flaw in CouchCMS itself. No patches or exploits have been reported, and the vulnerability was reserved in December 2025 and published in January 2026. The core technical risk lies in insufficient validation or sanitization of file path inputs allowing directory traversal by privileged users.

For European organizations, the primary impact is the potential unauthorized disclosure of sensitive information such as source code, internal configuration files, or other confidential data if an attacker gains admin access and exploits this vulnerability. This could lead to intellectual property theft, exposure of credentials or secrets, and increased risk of further attacks leveraging disclosed information. While the vulnerability requires admin privileges, insider threats or compromised admin accounts could be leveraged. The impact on confidentiality is high, but there is no direct impact on system integrity or availability. Organizations relying on CouchCMS 2.4 or similar CMS platforms with comparable configurations are at risk. Given the dispute about the root cause, organizations with misconfigured web servers exposing files via traversal are particularly vulnerable. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks.

European organizations should first verify and harden their web server configurations to prevent unauthorized file access via directory traversal. This includes disabling access to sensitive directories and files, enforcing strict path validation, and ensuring that web server rules do not allow backtracking beyond intended directories. CouchCMS administrators should restrict admin access to trusted personnel and implement strong authentication and monitoring to detect suspicious activity. Regularly audit file permissions and server logs for anomalous access patterns. If possible, upgrade to newer versions of CouchCMS or apply vendor patches once available. Employ web application firewalls (WAFs) with rules to detect and block directory traversal attempts. Additionally, conduct penetration testing focused on directory traversal and file disclosure to identify and remediate any configuration weaknesses. Since the vulnerability requires admin privileges, protecting admin accounts with multi-factor authentication and limiting their exposure is critical.