CVE-2025-2219
Published: 12 March 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-2219 is a critical vulnerability in LoveCards LoveCardsV2 up to version 2.3.2, affecting the processing of the /api/upload/image file endpoint. The issue allows manipulation of the 'file' argument, resulting in unrestricted file upload, and is classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-12.
Remote attackers can exploit this vulnerability without authentication or user interaction, initiating the attack over the network with low complexity. By manipulating the file argument in the affected endpoint, attackers achieve unrestricted file upload, which a public disclosure details as enabling an unauthenticated path to remote code execution (RCE).
Advisories from VulDB and a detailed Notion write-up confirm the exploit has been publicly disclosed and may be used. The vendor was contacted early about the issue but did not respond, and no patches or specific mitigations are mentioned in the available references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing web app endpoint enables exploitation of T1190 for initial access; unrestricted file upload directly facilitates T1505.003 web shell deployment for unauthenticated RCE.