CVE-2025-2708
Published: 24 March 2025
Summary
CVE-2025-2708 is a medium-severity Path Traversal (CWE-22) vulnerability in Iocoder Ruoyi-Vue-Pro. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Direct Volume Access (T1006); ranked at the 37.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses path traversal in the file upload endpoint by requiring validation of the manipulated 'path' argument to block directory traversal sequences.
Boundary protection at the API interface can inspect and block remote requests containing path traversal payloads targeting /admin-api/infra/file/upload.
Enforces access controls to restrict low-privilege (PR:L) users from writing or deleting files in unauthorized directories outside the intended upload location.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in backend file upload (/admin-api/infra/file/upload) enables arbitrary file writes to server filesystem, bypassing directory restrictions (T1006: Direct Volume Access per VulDB mapping). Exploitable remotely via public-facing web application (T1190).
NVD Description
A vulnerability, which was classified as critical, was found in zhijiantianya ruoyi-vue-pro 2.4.1. This affects an unknown part of the file /admin-api/infra/file/upload of the component Backend File Upload Interface. The manipulation of the argument path leads to path traversal. It…
more
is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-2708 is a path traversal vulnerability (CWE-22) classified as critical in zhijiantianya ruoyi-vue-pro version 2.4.1. It affects the Backend File Upload Interface, specifically the endpoint /admin-api/infra/file/upload, where manipulation of the "path" argument enables directory traversal. The vulnerability was published on 2025-03-24 and carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L).
An attacker with low privileges (PR:L) can exploit this remotely over the network with low complexity and no user interaction required. By crafting a malicious "path" parameter during file upload, the attacker can traverse directories outside the intended upload location, potentially leading to limited integrity (I:L) and availability (A:L) impacts, such as overwriting or deleting files in unauthorized locations, though no confidentiality impact is present.
Advisories from VulDB (ctiid.300729, id.300729, submit.517030) and a GitHub proof-of-concept at uglory-gll/javasec (ruoyi-vue-pro.md#4file-path-traversal-back-end) detail the issue but report no vendor response despite early contact. No patches or official mitigations are available, and the exploit has been publicly disclosed, increasing the risk of active use.
The vendor was notified early but provided no response, leaving affected deployments without remediation guidance as of publication.
Details
- CWE(s)