CVE-2025-34095 PUBLISHED

Mako Server v2.5 and v2.6 OS Command Injection via examples/save.lsp

Assigner: VulnCheck
Reserved: 15.04.2025 Published: 10.07.2025 Updated: 11.07.2025

An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Real Time Logic
Product	Mako Server
Versions	Default: unaffected affected from 2.5 to 2.6 (incl.)

Credits

John Page (hyp3rlinx) of Beyond Security SecuriTeam Secure Disclosure finder

References

Problem Types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE

Impacts

CAPEC-88 OS Command Injection
CAPEC-137 Parameter Injection