CVE-2025-2707
Published: 24 March 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-2707 is a critical path traversal vulnerability (CWE-22) affecting zhijiantianya ruoyi-vue-pro version 2.4.1. The issue resides in an unknown functionality of the Front-End Store Interface component, specifically the /app-api/infra/file/upload endpoint, where manipulation of the 'path' argument enables traversal outside intended directories. It carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) and was published on 2025-03-24.
The vulnerability can be exploited remotely by low-privileged authenticated users (PR:L) with low attack complexity and no user interaction required. Successful exploitation allows partial integrity and availability impacts, potentially enabling attackers to write or overwrite files in unauthorized locations via path traversal, though confidentiality is unaffected.
Advisories from VulDB and a GitHub security disclosure note that the exploit has been publicly released and may be actively used. The vendor was contacted early regarding the issue but provided no response, and no patches or mitigations are mentioned in the available references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The path traversal vulnerability in the front-end file upload endpoint (/app-api/infra/file/upload) enables exploitation of a public-facing application (T1190), ingress tool/malware transfer to arbitrary filesystem locations (T1105), persistence through web shell deployment (T1505.003), and account manipulation via overwriting SSH authorized keys (T1098.004).