Cyber Posture

CVE-2025-66410

CriticalPublic PoC

Published: 01 December 2025

Published
01 December 2025
Modified
06 February 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0013 32.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete…

more

any file and folder.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation directly mitigates CVE-2025-66410 by applying the vendor patch that fixes the path traversal in the FileMd5 parameter handling.

SI-10 Information Input Validation good match
prevent

Information input validation prevents path traversal attacks by sanitizing and validating the FileMd5 parameter to restrict it to safe paths.

AC-3 Access Enforcement partial match
prevent

Access enforcement restricts file deletion operations to only authorized resources, limiting the impact of manipulated FileMd5 parameters on arbitrary server files.

Security SummaryAI

CVE-2025-66410 is a path traversal vulnerability (CWE-22) affecting Gin-vue-admin, a backstage management system built on Vue and Gin. Versions 2.8.6 and earlier are vulnerable, where attackers can manipulate the 'FileMd5' parameter to delete arbitrary files and folders on the server, potentially leading to resource damage or service unavailability. The issue was published on 2025-12-01 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), reflecting its critical severity due to high impacts on integrity and availability with no confidentiality loss.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction. By controlling the 'FileMd5' parameter, they gain the ability to target and delete any server file or folder, enabling destructive actions such as removing critical system files, application data, or configuration, which could render the server inoperable or cause significant operational disruption.

Mitigation details are provided in the project's GitHub security advisory at https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-jrhg-82w2-vvj7, along with a fixing commit at https://github.com/flipped-aurora/gin-vue-admin/commit/ee8d8d7e04d9c38a35a6969f20e75213e84f57c6. Security practitioners should apply the patch by updating to a version beyond 2.8.6 and review access to endpoints handling the 'FileMd5' parameter.

Details

CWE(s)
CWE-22

Affected Products

gin-vue-admin project
gin-vue-admin
≤ 2.8.6

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
Why these techniques?

The vulnerability is a path traversal in a public-facing web application (Gin-vue-admin) enabling remote unauthenticated arbitrary file and folder deletion (T1190 for exploitation; T1070.004 for file deletion capability).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References