CVE-2025-2707
Published: 24 March 2025
Summary
CVE-2025-2707 is a medium-severity Path Traversal (CWE-22) vulnerability in Iocoder Ruoyi-Vue-Pro. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 37.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates the manipulated 'path' argument in the /app-api/infra/file/upload endpoint to prevent path traversal outside intended directories.
Identifies, reports, and corrects the specific path traversal flaw in ruoyi-vue-pro 2.4.1 through patching or code remediation.
Enforces access authorizations to block low-privileged users from writing or overwriting files in unauthorized locations via traversed paths.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal vulnerability in the front-end file upload endpoint (/app-api/infra/file/upload) enables exploitation of a public-facing application (T1190), ingress tool/malware transfer to arbitrary filesystem locations (T1105), persistence through web shell deployment (T1505.003), and account manipulation via overwriting SSH authorized keys (T1098.004).
NVD Description
A vulnerability, which was classified as critical, has been found in zhijiantianya ruoyi-vue-pro 2.4.1. Affected by this issue is some unknown functionality of the file /app-api/infra/file/upload of the component Front-End Store Interface. The manipulation of the argument path leads to…
more
path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-2707 is a critical path traversal vulnerability (CWE-22) affecting zhijiantianya ruoyi-vue-pro version 2.4.1. The issue resides in an unknown functionality of the Front-End Store Interface component, specifically the /app-api/infra/file/upload endpoint, where manipulation of the 'path' argument enables traversal outside intended directories. It carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) and was published on 2025-03-24.
The vulnerability can be exploited remotely by low-privileged authenticated users (PR:L) with low attack complexity and no user interaction required. Successful exploitation allows partial integrity and availability impacts, potentially enabling attackers to write or overwrite files in unauthorized locations via path traversal, though confidentiality is unaffected.
Advisories from VulDB and a GitHub security disclosure note that the exploit has been publicly released and may be actively used. The vendor was contacted early regarding the issue but provided no response, and no patches or mitigations are mentioned in the available references.
Details
- CWE(s)