Open Journal Systems 3.5.0-1 Path Traversal

Open Journal Systems (OJS) is a widely used platform for Open Journal Systems (OJS) is a widely used platform for managing and publishing scholarly journals. Version 3.5.0-1 was found to be vulnerable to a path traversal flaw.

This vulnerability allowed an attacker to manipulate file paths, typically by injecting sequences like `../` (dot-dot-slash) into requests. By doing so, they could access arbitrary files and directories stored outside the intended application directory.

This includes sensitive system files, configuration files, or other data that should not be publicly accessible. The root cause was insufficient input validation on user-supplied file paths.

Successful exploitation could lead to information disclosure and potentially further system compromise. Users of OJS 3.5.0-1 are strongly advised to upgrade to a patched version to remediate this risk.

---------------------------------------------------------------------------------------------
Open Journal Systems <= 3.5.0-1 (NativeXmlIssueGalleyFilter.php) Path
Traversal Vulnerability
---------------------------------------------------------------------------------------------


[-] Software Links:

https://pkp.sfu.ca/software/ojs/
https://github.com/pkp/ojs


[-] Affected Versions:

Version 3.3.0-21 and prior versions.
Version 3.4.0-9 and prior versions.
Version 3.5.0-1 and prior versions.


[-] Vulnerability Description:

The vulnerability exists because user input passed to the "Native XML
Plugin" through the issue -> issue_galleys -> issue_galley ->
issue_file -> file_name tag of the imported XML file is not properly
sanitized before being used to set the "server-side file name", which
is later used as the final part of a variable which is used at in a
call to the writeFile() method without proper validation. This can be
exploited to write/overwrite arbitrary files on the web server via
Path Traversal sequences, potentially leading to, e.g., execution of
arbitrary PHP code (RCE).

Successful exploitation of this vulnerability requires an account with
permissions to access the "Import/Export" plugin ("Native XML
Plugin"), such as a "Journal Editor" or "Production Editor" user
account. Furthermore, in order to perform the following Remote Code
Execution (RCE) attack, the attacker should know or guess/disclose the
webserver path in which OJS is located (e.g.
/var/www/html/ojs-3.5.0-1).


[-] Solution:

Upgrade to versions 3.3.0-22, 3.4.0-10, 3.5.0-2, or later.


[-] Disclosure Timeline:

[21/10/2025] - Vendor notified
[24/10/2025] - Vendor fixed the issue and opened a public GitHub
issue: https://github.com/pkp/pkp-lib/issues/11973
[12/11/2025] - CVE identifier requested
[20/11/2025] - Version 3.3.0-22 released
[22/11/2025] - Version 3.4.0-10 released
[12/12/2025] - CVE identifier assigned
[29/11/2025] - Version 3.5.0-2 released
[23/12/2025] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures program (cve.org) has
assigned the name CVE-2025-67890 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2025-11