CVE-2025-60786: Zip Slip in IceScrum Project Import

CVE Information

CVE ID: CVE-2025-60786

Severity: High

CVSS v3.1: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Vendor: IceScrum

Affected Product: IceScrum

Vulnerability Type: Zip Slip (Path Traversal via Archive Extraction)

Vulnerability Details

The project import feature in IceScrum fails to properly sanitize file paths when extracting user-supplied project archives (e.g., ZIP). A crafted archive can include file entries with directory traversal sequences such as ../ that escape the intended extraction directory. Successful exploitation allows an attacker to write arbitrary files to locations on the server filesystem.

Depending on the deployment, arbitrary file write can lead Remote code execution to configuration tampering, service disruption, data exfiltration. By default, the application allows self registration; a self-registered user can access the import capability and exploit this vulnerability, which significantly elevates the overall severity.

Proof of Concept

Affected Versions

This vulnerability affects IceScrum versions ≤ 7.5.4. Organizations using affected versions should apply security patches or disable/archive import until patched.

References

CVE.ORG

This research was conducted by the ZDaylabs security team as part of our ongoing commitment to improving application security.

← Back to Research