CVE-2025-45238
Published: 05 May 2025
Summary
CVE-2025-45238 is a critical-severity Path Traversal (CWE-22) vulnerability in Qianfox Foxcms. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 16.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
foxcms version 1.2.5 contains an arbitrary file deletion vulnerability in the delRestoreSerie method. The flaw is tracked as CVE-2025-45238 with CWE-22 and carries a CVSS 3.1 score of 9.1, reflecting network-accessible attack vectors that require no authentication or user interaction.
An unauthenticated remote attacker can invoke the affected method to supply arbitrary paths, resulting in deletion of files on the server. Successful exploitation produces high impact on integrity and availability while leaving confidentiality untouched.
The associated EPSS score remains low at 0.0194 with no material increase since disclosure. Public references consist of a GitHub gist and the project repository on Gitee, neither of which details patches or mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13444
Vulnerability details
foxcms v1.2.5 was discovered to contain an arbitrary file deletion vulnerability via the delRestoreSerie method.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.