CVE-2025-2363

CVE-2025-2363 is a path traversal vulnerability (CWE-22) classified as critical in lenve VBlog up to version 1.0.0. The issue affects the uploadImg function within the file blogserver/src/main/java/org/sang/controller/ArticleController.java, where manipulation of the filename argument enables attackers to traverse directories outside the intended upload path.

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring network access (AV:N) and low complexity (AC:L) with no user interaction (UI:N). Successful exploitation results in limited impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), as scored at CVSS 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), potentially allowing unauthorized file access or modification in traversable directories.

Advisories from VulDB and a Notion page detail the vulnerability as an arbitrary file upload leading to path traversal, with the exploit publicly disclosed. No patches or vendor responses are available, as the vendor was contacted early but did not reply; security practitioners should restrict upload functionalities and validate filenames strictly.

The exploit has been made public and may be actively used, with no further details on real-world exploitation provided in available sources.