CVE-2025-2708
Published: 24 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2708 is a path traversal vulnerability (CWE-22) classified as critical in zhijiantianya ruoyi-vue-pro version 2.4.1. It affects the Backend File Upload Interface, specifically the endpoint /admin-api/infra/file/upload, where manipulation of the "path" argument enables directory traversal. The vulnerability was published on 2025-03-24 and carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L).
An attacker with low privileges (PR:L) can exploit this remotely over the network with low complexity and no user interaction required. By crafting a malicious "path" parameter during file upload, the attacker can traverse directories outside the intended upload location, potentially leading to limited integrity (I:L) and availability (A:L) impacts, such as overwriting or deleting files in unauthorized locations, though no confidentiality impact is present.
Advisories from VulDB (ctiid.300729, id.300729, submit.517030) and a GitHub proof-of-concept at uglory-gll/javasec (ruoyi-vue-pro.md#4file-path-traversal-back-end) detail the issue but report no vendor response despite early contact. No patches or official mitigations are available, and the exploit has been publicly disclosed, increasing the risk of active use.
The vendor was notified early but provided no response, leaving affected deployments without remediation guidance as of publication.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal vulnerability in backend file upload (/admin-api/infra/file/upload) enables arbitrary file writes to server filesystem, bypassing directory restrictions (T1006: Direct Volume Access per VulDB mapping). Exploitable remotely via public-facing web application (T1190).