Unauthenticated Local File Inclusion in Lighthouse <= 1.2.12 versions.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2025-58902 represents a critical vulnerability in Lighthouse versions 1.2.12 and earlier that allows unauthenticated attackers to perform local file inclusion (LFI) attacks. This CWE-98 vulnerability is particularly severe because it requires no authentication, meaning any remote actor can exploit it to read arbitrary files from the affected system. Organizations running vulnerable Lighthouse instances—commonly used for performance auditing and web quality analysis—face immediate risk of information disclosure, including sensitive configuration files, source code, and credentials that could enable further compromise.
While this CVE currently shows zero matching Casky skills and no mapped MITRE ATT&CK techniques in the disclosed data, practitioners using Casky.ai's Claude-powered analysis would benefit from extended reasoning capabilities that correlate LFI patterns with reconnaissance and credential access techniques. Security teams should monitor for HTTP requests with path traversal payloads (../ sequences, encoded variants), unusual file access patterns in application logs, and requests targeting sensitive locations like /etc/passwd or configuration directories. Even without explicit ATT&CK mappings, Casky's skill framework enables detection of the underlying attack mechanics: initial reconnaissance through information gathering, lateral movement preparation via credential discovery, and potential privilege escalation—patterns that emerge when analyzed through behavioral correlation across the 754 mapped security skills.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2025-58902. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation