A significant security flaw has been identified in Lighthouse Studio, a widely utilized survey software developed by Sawtooth Software. This vulnerability, designated as CVE-2025-34300, resides in the Perl CGI scripts that facilitate web-based surveys, potentially allowing unauthorized individuals to execute arbitrary code on hosting servers.
Overview of Lighthouse Studio
Lighthouse Studio is a comprehensive survey platform that combines a Windows desktop application for survey design with server-side Perl CGI scripts to manage respondent interactions. This dual-component architecture enables organizations to create and deploy complex surveys efficiently.
Details of the Vulnerability
The core of this vulnerability lies in the server-side Perl CGI scripts, which utilize a templating engine to process user inputs. Security researchers at Assetnote discovered that the engine evaluates content enclosed within [% %] markers as executable Perl code. This behavior allows attackers to inject and execute malicious code by manipulating survey parameters.
Technical Exploitation Mechanics
The vulnerability is exploited through the following code snippet:
“`perl
sub _foq {
my ( $_gtp, $_gvf ) = @_;
my $_ejf = ;
$_ejf = eval($_gtp);
# Additional error handling code
}
“`
In this function, user input is passed directly to the `eval()` function without adequate validation, enabling the execution of arbitrary code. Attackers can exploit this by injecting payloads through the `hid_Random_ACARAT` parameter, such as `[%2577%25]`, which the templating engine processes and executes as Perl code.
For older versions of the software that implement basic input filtering, researchers identified a bypass technique using duplicate parameter names: `hid_Random_ACARAT=[%2577%25]&hid_Random_ACARAT=x`. This method leverages Perl’s array reference handling behavior to circumvent filtering mechanisms entirely.
Implications and Risks
The widespread use of Lighthouse Studio’s CGI scripts across multiple surveys within organizations amplifies the potential attack surface. A single company might operate numerous instances of these scripts, each vulnerable to exploitation. Compounding the risk, these scripts lack an automatic update mechanism, necessitating manual intervention to apply security patches.
If exploited, this vulnerability could grant attackers complete control over the hosting servers, leading to unauthorized access, data breaches, and potential system disruptions.
Mitigation Measures
In response to this critical security issue, Sawtooth Software released version 9.16.14 on July 9, 2025, which addresses the vulnerability. Organizations utilizing Lighthouse Studio are strongly advised to update to this latest version promptly to safeguard their systems against potential exploitation.
Conclusion
The discovery of CVE-2025-34300 underscores the importance of rigorous input validation and regular software updates in maintaining cybersecurity. Organizations must remain vigilant, ensuring that all components of their software infrastructure are up-to-date and secure to prevent unauthorized access and potential data breaches.
