ShowDoc RCE Exploited

ShowDoc, a web tool teams use to store technical docs and application programming interface notes, is now being hit through an old server-takeover bug on unpatched systems. (securityaffairs.com) The flaw is tracked as CVE-2025-0520 and affects ShowDoc versions before 2.8.7, according to the Common Vulnerabilities and Exposures record and the National Vulnerability Database. Both records describe it as an unrestricted file upload bug that can lead to remote code execution. (cve.org) (nvd.nist.gov) In plain terms, the bug lets an attacker smuggle a malicious server file through an upload feature that should have accepted only safe file types. Once that file lands on the server, the attacker can run commands on the machine hosting ShowDoc. (github.com) (cve.org) Security reports published April 14 said attackers are already using the flaw in the wild, and VulnCheck said it observed exploitation against a United States honeypot. The same reporting said more than 2,000 internet-exposed ShowDoc instances remain reachable online, with most of them in China. (thehackernews.com) (cybelangel.com) The bug was fixed years ago, not this month. SecurityAffairs and CybelAngel both said ShowDoc version 2.8.7 shipped in October 2020, which means the current attacks are targeting systems that never installed the patch. (securityaffairs.com) (cybelangel.com) That makes this an example of an “N-day” attack, the security industry’s term for abuse of a known flaw after a fix already exists. The risk is higher with documentation servers because they often hold internal network details, credentials, and system diagrams that can help an intruder move deeper into a company. (cybelangel.com) The technical root cause sits in ShowDoc’s image upload path, where file-extension checks were misconfigured, according to CybelAngel’s summary of the vulnerability. Its report said the framework ignored the wrong property name, which left dangerous file types such as PHP able to pass through. (cybelangel.com) The Common Vulnerabilities and Exposures entry lists the weakness as CWE-434, or unrestricted upload of a file with a dangerous type, and gives the bug a Common Vulnerability Scoring System version 4.0 score of 9.4. GitHub’s advisory database also marks the issue critical and says patched versions start at 2.8.7. (cve.org) (github.com) ShowDoc’s release history cited in current coverage says the project has moved on to version 3.8.1, but the attacks now hitting older servers show how long forgotten internal tools can stay exposed online. The immediate line between safe and unsafe is simple: anything older than 2.8.7 is still in the blast zone. (github.com) (cybelangel.com)