CVE ID: CVE-2025-65882
Project: OpenMPTCProuter
Component: RUTX image build script (now removed)
Impact: Build-time code execution (developer / CI environment only)
Reported by: Arad Cohen
A security issue was identified in a flow used for generating RUTX images in the OpenMPTCProuter project. The flow contained Insecure Temporary File (CWE-377) that could lead to a command injection during the image build process.
The affected code was present in the public repository but was not part of the runtime firmware and was only used during image generation for the RUTX platform.
Following a report to the maintainers, the vulnerable package/script was removed from the repository.
- Runtime impact: None. The vulnerable code was not used in the runtime firmware.
- Affected environment: Developers or CI environments building RUTX images using the affected script, before its removal.
- Affected versions: All released versions up and including v0.64. The issue was fixed in source (see commit
09393d1c41a227bea7d5b85c0a06221b1302b25f), but it has not yet been included in a released version.
The create_xor_ipad_opad function in sysupgrade.c creates temporary files in an insecure way
char *create_xor_ipad_opad(char *f_xor, unsigned long long *xor_buffer)
{
int fd;
char *file;
file = mktemp(f_xor);
fd = open(file, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR);
if (fd == -1) {
perror(file);
return NULL;
}
write(fd, xor_buffer, sizeof(*xor_buffer));
close(fd);
return file;
}The use of mktemp produces a predictable filename without safely creating the file.
This introduces a classic insecure temporary file vulnerability, allowing an attacker to create the file in advance or replace it with a malicious symlink before it opened.
As a result, an attacker controlling the build environment could force the program to write the xor_buffer into an arbitrary file chosen by the attacker, or alternatively inject arbitrary content into the temporary file.
The temporary file is later concatenated and passed to system:
snprintf(command, sizeof(command),
"cat %s %s | openssl dgst -sha256 -binary -out %s",
sw_file, code_file, tmp_file);
retval = system(command);Becuase the temporary file is attacker-controlled, this creates a command injection vector via system, triggered during the image verification routine of the RUTX image build system.
Under certain build-time conditions, an attacker who can influence the temporary file (or the working directory) could achieve arbitrary command execution in the context of the machine building the firmware image.
This issue affects only image generation for the RUTX platform and does not impact runtime firmware images.
The maintainers removed the affected package/script in commit:
https://github.com/Ysurac/openmptcprouter/commit/09393d1c41a227bea7d5b85c0a06221b1302b25f
Users building custom RUTX images should ensure they are using a revision of the repository that includes this commit or later.
No action is required for regular OpenMPTCProuter users who do not build custom RUTX images.
- 2025-11-15 – Issue discovered by the reporter
- 2025-11-15 – Report sent to the maintainers
- 2025-11-15 – Maintainers removed the affected package/script
- 2025-11-29 – CVE-2025-65882 reserved by MITRE
- 2025-11-29 – Public advisory published
This issue was reported by Arad (aradcoh) Cohen.