New research exposes how NASA’s CFITSIO Extended Filename Syntax (EFS) can be weaponized for arbitrary file copy, SSRF, HTTP header injection, and local file exfiltration. Legacy features in scientific tooling pose evolving risks when threat models shift.

In brief - CFITSIO’s EFS, designed for flexible file handling, enables critical attack primitives due to insufficient input sanitization and backward compatibility constraints. Mitigations like opt-in EFS and stricter validation are recommended.

Technically - Exploits leverage EFS clauses (e.g., `outfile`, `http://`, `root://[b...]`) to copy `/etc/passwd`, force downloads, inject HTTP headers via newlines, and reinterpret files as FITS data for exfiltration. Some apps (e.g., Siril) mitigate risks via literal file opens, but security was not the primary driver. Complexity arises from CFITSIO’s design and compatibility requirements.

Source: https://blog.doyensec.com/2026/05/19/cfitsio-weaponized-filenames.html

#Cybersecurity #ThreatIntel