Path Traversal Vulnerability in Zhijiantianya Ruoyi-Vue-Pro by Zhijiantianya
CVE-2025-2707

5.4MEDIUM

Key Information:

Vendor: Zhijiantianya
Status: Ruoyi-Vue-Pro
Vendor: CVE Published:; 24 March 2025

🔔 Create Zhijiantianya Vulnerability Alert

What is CVE-2025-2707?

A vulnerability has been identified in the Front-End Store Interface of Zhijiantianya's Ruoyi-Vue-Pro 2.4.1, specifically within the file upload functionality at /app-api/infra/file/upload. This flaw allows attackers to manipulate the argument path, leading to unauthorized access to files outside the intended directory. As a result, remote attackers could exploit this vulnerability to perform malicious actions. The vulnerability has been publicly disclosed, emphasizing the need for immediate remediation as the vendor has not yet acknowledged the issue.

References

https://github.com/uglory-gll/javasec/blob/main/ruoyi-vue...

https://vuldb.com/?ctiid.300728

https://vuldb.com/?id.300728

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2025