NavigaTUM, a web application and API designed for searching rooms, buildings, and other locations, contained a critical path traversal vulnerability identified as CVE-2026-25575. The vulnerability exists in the propose_edits endpoint, where the application fails to properly sanitize file keys in JSON payloads. Attackers can include relative path traversal sequences such as "../../" to escape the intended temporary directory and write files to arbitrary locations writable by the application user, such as the /cdn directory. This can lead to overwriting public-facing images or filling the server's storage, potentially causing denial of service or enabling further attacks like web defacement or code injection if executable files are placed. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The issue was fixed in commit 86f34c7 by properly sanitizing input to prevent directory traversal. The CVSS 4.0 score is 8.8 (high), reflecting the ease of exploitation and significant impact on integrity and availability. No known exploits in the wild have been reported yet.

For European organizations using NavigaTUM, this vulnerability poses a significant risk. Attackers can remotely overwrite files without authentication, potentially defacing websites, disrupting services by filling storage, or planting malicious files for further exploitation. Public-facing institutions such as universities, municipal offices, or companies relying on NavigaTUM for location services could suffer reputational damage and operational downtime. The integrity of publicly accessible content can be compromised, and availability may be impacted due to resource exhaustion. Given the unauthenticated nature of the exploit, attackers from anywhere can target vulnerable deployments, increasing the threat landscape. Organizations with strict data integrity and availability requirements, such as government or critical infrastructure entities, are particularly at risk.

Organizations should immediately verify their NavigaTUM version and apply the patch introduced in commit 86f34c7 or upgrade to a fixed version. If patching is not immediately possible, implement web application firewall (WAF) rules to detect and block requests containing path traversal sequences in the propose_edits endpoint payloads. Restrict write permissions of the application user to only necessary directories and avoid writable directories that serve public content. Monitor logs for suspicious requests attempting directory traversal patterns. Conduct regular security audits of input validation mechanisms in web APIs. Additionally, implement rate limiting and anomaly detection to reduce the risk of automated exploitation attempts. Backup critical data and have an incident response plan ready in case of compromise.