CVE-2025-2743

MediumPublic PoC

Published: 25 March 2025

Published

25 March 2025

Modified

25 August 2025

KEV Added

—

Patch

—

CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0041 61.7th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2743 is a medium-severity Path Traversal (CWE-22) vulnerability in Iocoder Ruoyi-Vue-Pro. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Direct Volume Access (T1006); ranked in the top 38.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Direct Volume Access (T1006) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents path traversal by requiring validation and sanitization of the File argument in the material upload endpoint to block traversal sequences like ../

AC-3 Access Enforcement partial match

prevent

Enforces access control policies at the file system level to deny unauthorized reads outside the intended temporary upload directory despite path manipulation.

AC-6 Least Privilege partial match

prevent

Applies least privilege to the application process handling uploads, limiting potential damage from traversal to only low-privilege accessible files.

MITRE ATT&CK Enterprise TechniquesAI

T1006 Direct Volume Access Stealth

Adversaries may directly access a volume to bypass file access controls and file system monitoring.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

Why these techniques?

Path traversal in material upload endpoint enables direct volume access (T1006) and arbitrary file deletion (T1070.004).

NVD Description

A vulnerability, which was classified as problematic, has been found in zhijiantianya ruoyi-vue-pro 2.4.1. This issue affects some unknown processing of the file /admin-api/mp/material/upload-temporary of the component Material Upload Interface. The manipulation of the argument File leads to path traversal.…

The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2025-2743 is a path traversal vulnerability (CWE-22) affecting zhijiantianya ruoyi-vue-pro version 2.4.1. The issue resides in the Material Upload Interface, specifically the /admin-api/mp/material/upload-temporary endpoint, where manipulation of the File argument enables traversal outside intended directories. Rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), it was published on 2025-03-25 and classified as problematic.

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), such as an authenticated user, over the network with low complexity and no user interaction required. Successful exploitation allows limited access to confidential data (C:L), potentially enabling unauthorized file reads via path traversal, though the precise impact aligns with the low confidentiality score and no disruption to integrity or availability.

Advisories from VulDB (ctiid.300845, id.300845) and a GitHub repository (uglory-gll/javasec) detail the issue, with the latter providing a proof-of-concept under "Arbitrary File Deletion Vulnerability - uploadTemporaryMaterial," indicating public disclosure of an exploit. The vendor was contacted early but has not responded or issued patches. No mitigations are specified in available references.