CVE-2025-32778: Web-Check allows command Injection via Unvalidated URL in Screenshot API

9.3 CVSS

Description

Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project (Lissy93/web-check). The issue stems from user-controlled input (url) being passed unsanitized into a shell command using exec(), allowing attackers to execute arbitrary system commands on the underlying host. This could be exploited by sending crafted url parameters to extract files or even establish remote access. The vulnerability has been patched by replacing exec() with execFile(), which avoids using a shell and properly isolates arguments.

Classification

CVE ID: CVE-2025-32778

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem Types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Affected Products

Vendor: Lissy93

Product: web-check

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.44% (probability of being exploited)

EPSS Percentile: 61.9% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2025-32778
https://github.com/Lissy93/web-check/security/advisories/GHSA-5qg5-g7c2-pfx8
https://github.com/Lissy93/web-check/pull/243
https://github.com/Lissy93/web-check/commit/0e4958aa10b2650d32439a799f6fc83a7cd46cef

Timeline

2025-04-15 21:40:20 UTC
CVE

Web-Check allows command Injection via Unvalidated URL in Screenshot API