CVE-2025-34277

Nagios Log Server versions prior to 2024R1.3.1 contain a code injection vulnerability where malformed dashboard ID values are not properly validated before being forwarded to an internal API. An attacker able to supply crafted dashboard ID values can cause the system to execute attacker-controlled data, leading to arbitrary code execution in the context of the Log Server process.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.nagios.com/changelog/#log-server-2024R1	Release Notes
https://www.nagios.com/products/security/#log-server	Product
https://www.vulncheck.com/advisories/nagios-log-server-rce-via-malformed-dashboard-id	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nagios:log_server::::::::
	cpe:2.3:a:nagios:log_server:2024:r1::::::
	cpe:2.3:a:nagios:log_server:2024:r1.0.1::::::
	cpe:2.3:a:nagios:log_server:2024:r1.0.2::::::
	cpe:2.3:a:nagios:log_server:2024:r1.1::::::
	cpe:2.3:a:nagios:log_server:2024:r1.2::::::
	cpe:2.3:a:nagios:log_server:2024:r1.3::::::

History

No history.

Information

Published : 2025-10-30 22:15

Updated : 2025-11-06 16:27

NVD link : CVE-2025-34277

Mitre link : CVE-2025-34277

CVE.ORG link : CVE-2025-34277

JSON object : View

Products Affected

nagios

log_server

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2025-34277", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-10-30T22:15:48.227", "references": [{"url": "https://www.nagios.com/changelog/#log-server-2024R1", "tags": ["Release Notes"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.nagios.com/products/security/#log-server", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/nagios-log-server-rce-via-malformed-dashboard-id", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "Nagios Log Server versions prior to\u00a02024R1.3.1 contain a code injection vulnerability where\u00a0malformed dashboard ID values are not properly validated before being forwarded to an internal API.\u00a0An attacker able to supply crafted dashboard ID values can cause the system to execute attacker-controlled data, leading to arbitrary code execution in the context of the Log Server process."}], "lastModified": "2025-11-06T16:27:31.010", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nagios:log_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "87E74637-713C-4DD7-B97E-2F247B7B12B1", "versionEndExcluding": "2024"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B93D415C-B2C0-42CE-B9B3-29C29A3DCC16"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1.0.1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "997B64B5-A3F2-4D0E-B05E-CCA76D598C18"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1.0.2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D20F6746-83DD-49AE-8C3D-AF2FFB47A89E"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1.1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5EF32AF5-19EA-495A-AB28-F78F33DDEC3F"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1.2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C26DE7A-37AA-4570-81C1-2E0C1A9026F7"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52C22468-A773-49C8-81AD-9B76C26BFFD1"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}