CVE-2025-2743

CVE-2025-2743 is a path traversal vulnerability (CWE-22) affecting zhijiantianya ruoyi-vue-pro version 2.4.1. The issue resides in the Material Upload Interface, specifically the /admin-api/mp/material/upload-temporary endpoint, where manipulation of the File argument enables traversal outside intended directories. Rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), it was published on 2025-03-25 and classified as problematic.

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), such as an authenticated user, over the network with low complexity and no user interaction required. Successful exploitation allows limited access to confidential data (C:L), potentially enabling unauthorized file reads via path traversal, though the precise impact aligns with the low confidentiality score and no disruption to integrity or availability.

Advisories from VulDB (ctiid.300845, id.300845) and a GitHub repository (uglory-gll/javasec) detail the issue, with the latter providing a proof-of-concept under "Arbitrary File Deletion Vulnerability - uploadTemporaryMaterial," indicating public disclosure of an exploit. The vendor was contacted early but has not responded or issued patches. No mitigations are specified in available references.