Unauthenticated File Upload Vulnerability in eGovFramework's Common Components
CVE-2025-34336

6.9MEDIUM

Key Information:

Vendor

Egovframework/egovframe-common-components

Status
Egovframework/egovframe-common-components
Vendor
CVE Published:
19 November 2025

What is CVE-2025-34336?

Versions of eGovFramework's common components up to 4.3.1 are susceptible to an unauthenticated file upload vulnerability. This occurs via the image upload endpoints, specifically /utl/wed/insertImage.do and /utl/wed/insertImageCk.do. The vulnerability allows attackers to upload arbitrary files without authentication. Despite having a whitelist for filename extensions, the actual content of the uploaded files is fully controlled by the attacker, enabling malicious files to be hosted on the server. Additionally, files uploaded with non-image content types can pose serious security risks, particularly when improperly managed MIME types are served. The compromise provides attackers means to exploit affected applications as persistent file hosting services for arbitrary content.

Affected Version(s)

eGovFramework/egovframe-common-components 0 <= 4.3.1

References

https://www.egovframe.go.kr/eng/sub.do?menuNo=2
product
https://github.com/eGovFramework/egovframe-common-components
product
https://pierrekim.github.io/blog/2025-11-20-egovframe-2-v...
technical-descriptionexploit

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pierre Barre
JSON
.
CVE-2025-34336 : Unauthenticated File Upload Vulnerability in eGovFramework's Common Components