Cyber Resilience

CVE-2025-2742

MediumPublic PoC

Published: 25 March 2025

Published
25 March 2025
Modified
15 July 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0018 39.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2742 is a medium-severity Path Traversal (CWE-22) vulnerability in Iocoder Ruoyi-Vue-Pro. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Deeper analysis

CVE-2025-2742 is a path traversal vulnerability (CWE-22) in zhijiantianya ruoyi-vue-pro version 2.4.1. It affects unknown code within the /admin-api/mp/material/upload-permanent endpoint of the Material Upload Interface component. The issue arises from manipulation of the File argument, enabling attackers to traverse directories outside the intended upload path. The vulnerability carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) and was published on 2025-03-25.

A remote attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network with little complexity. By crafting a malicious file upload request, the attacker can achieve limited integrity and availability impacts, specifically enabling arbitrary file deletion as detailed in public disclosures. No confidentiality impact is possible.

Advisories from VulDB and GitHub repositories, including detailed exploit write-ups in ruoyi-vue-pro.md, confirm the vulnerability's remote exploitability but note no vendor response despite early contact. No patches or official mitigations are available, leaving affected systems reliant on custom input validation or access controls on the Material Upload Interface.

The exploit has been publicly disclosed and may be actively used, increasing risk for deployments of ruoyi-vue-pro 2.4.1.

EU & UK References

Vulnerability details

A vulnerability classified as critical was found in zhijiantianya ruoyi-vue-pro 2.4.1. This vulnerability affects unknown code of the file /admin-api/mp/material/upload-permanent of the component Material Upload Interface. The manipulation of the argument File leads to path traversal. The attack can be…

more

initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Path traversal in public-facing web upload endpoint (CVE-2025-2742) enables exploitation of public-facing application (T1190) and facilitates arbitrary remote file deletion (T1070.004).

CVEs Like This One

CVE-2025-2708Same product: Iocoder Ruoyi-Vue-Pro
CVE-2025-2743Same product: Iocoder Ruoyi-Vue-Pro
CVE-2025-2707Same product: Iocoder Ruoyi-Vue-Pro
CVE-2026-3666Shared CWE-22
CVE-2018-25308Shared CWE-22
CVE-2026-22460Shared CWE-22
CVE-2025-69377Shared CWE-22
CVE-2025-14850Shared CWE-22
CVE-2025-26752Shared CWE-22
CVE-2026-4350Shared CWE-22

Affected Assets

iocoder
ruoyi-vue-pro
2.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates path traversal by requiring validation of the manipulated File argument in the Material Upload Interface to reject traversal sequences like '../'.

prevent

Enforces restrictions on file names and paths in upload requests, preventing directory traversal payloads from being processed.

prevent

Enforces access control policies on file system resources to deny unauthorized deletions outside the intended upload directory even if partial traversal occurs.

References