Cyber Resilience

CVE-2025-2038

MediumPublic PoC

Published: 06 March 2025

Published
06 March 2025
Modified
13 May 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 20.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2038 is a medium-severity Exposure of Information Through Directory Listing (CWE-548) vulnerability in Code-Projects Blood Bank Management System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked at the 20.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).

Deeper analysis

CVE-2025-2038 is a critical vulnerability in code-projects Blood Bank Management System 1.0, affecting unknown processing of the /upload/ file or endpoint. It enables exposure of information through directory listing, mapped to CWE-548 (Files or Directories Accessible to External Parties) and CWE-552 (Files or Directories Accessible to External Parties). The issue carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-06.

The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required and low complexity, requiring no user interaction. Exploitation involves manipulating the /upload/ endpoint to trigger directory listing, resulting in information disclosure with low impacts on confidentiality, integrity, and availability.

Advisories referenced on VulDB (ctiid.298781, id.298781, submit.512558) document the issue, while a GitHub repository (intercpt/XSS1/blob/main/Directorylisting.md) discloses the exploit publicly, noting it may be used by attackers. The project site at code-projects.org provides context on the affected software, but no specific patches or mitigations are detailed in available references.

EU & UK References

Vulnerability details

A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /upload/. The manipulation leads to exposure of information through directory listing. The attack may…

more

be initiated remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

Directory listing vulnerability in /upload/ exposes file and directory contents, directly enabling File and Directory Discovery (T1083) as noted in advisories.

CVEs Like This One

CVE-2025-2037Same product: Code-Projects Blood Bank Management System
CVE-2025-2039Same product: Code-Projects Blood Bank Management System
CVE-2025-2033Same product: Code-Projects Blood Bank Management System
CVE-2025-2054Same product: Code-Projects Blood Bank Management System
CVE-2025-2044Same product: Code-Projects Blood Bank Management System
CVE-2025-2652Shared CWE-548, CWE-552
CVE-2025-1381Same vendor: Code-Projects
CVE-2026-5256Same vendor: Code-Projects
CVE-2025-1956Same vendor: Code-Projects
CVE-2025-7184Same vendor: Code-Projects

Affected Assets

code-projects
blood bank management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

CM-6 requires secure configuration settings like disabling directory indexing on web servers, directly preventing exposure via the /upload/ endpoint.

prevent

CM-7 mandates least functionality by prohibiting unnecessary features such as directory listings, comprehensively mitigating the /upload/ information disclosure.

prevent

SC-14 enforces protections for information accessed through public web interfaces, directly addressing directory listing vulnerabilities on exposed endpoints like /upload/.

References