CVE-2025-2742
Published: 25 March 2025
Description
Adversaries may delete files left behind by the actions of their intrusion activity.
Security Summary
CVE-2025-2742 is a path traversal vulnerability (CWE-22) in zhijiantianya ruoyi-vue-pro version 2.4.1. It affects unknown code within the /admin-api/mp/material/upload-permanent endpoint of the Material Upload Interface component. The issue arises from manipulation of the File argument, enabling attackers to traverse directories outside the intended upload path. The vulnerability carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) and was published on 2025-03-25.
A remote attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network with little complexity. By crafting a malicious file upload request, the attacker can achieve limited integrity and availability impacts, specifically enabling arbitrary file deletion as detailed in public disclosures. No confidentiality impact is possible.
Advisories from VulDB and GitHub repositories, including detailed exploit write-ups in ruoyi-vue-pro.md, confirm the vulnerability's remote exploitability but note no vendor response despite early contact. No patches or official mitigations are available, leaving affected systems reliant on custom input validation or access controls on the Material Upload Interface.
The exploit has been publicly disclosed and may be actively used, increasing risk for deployments of ruoyi-vue-pro 2.4.1.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in public-facing web upload endpoint (CVE-2025-2742) enables exploitation of public-facing application (T1190) and facilitates arbitrary remote file deletion (T1070.004).