Cyber Resilience

CVE-2025-45890

CriticalPublic PoC

Published: 20 June 2025

Published
20 June 2025
Modified
26 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0621 91.1th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-45890 is a critical-severity Path Traversal (CWE-22) vulnerability in Xxyopen Novel-Plus. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2025-45890 is a directory traversal vulnerability, tracked as CWE-22, that affects novel plus versions prior to 5.1.0. The flaw is exposed through the filePath parameter and is rated 9.8 under CVSS 3.1, reflecting a network-accessible attack with low complexity, no required privileges, and no user interaction that can fully impact confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply a crafted filePath value to traverse directories and execute arbitrary code on the server. Successful exploitation grants the attacker the same privileges as the application process, enabling complete compromise of the affected instance.

Public references consist of duplicate entries in a GitHub repository that document the issue, but no additional advisory text or patch details are supplied beyond the version boundary stated in the CVE description. The EPSS score has remained flat at 0.0621 with no material rise since publication.

EU & UK References

Vulnerability details

Directory Traversal vulnerability in novel plus before v.5.1.0 allows a remote attacker to execute arbitrary code via the filePath parameter

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Directory traversal vulnerability in novel-plus web application allows remote arbitrary code execution via filePath parameter, enabling exploitation of a public-facing application.

Affected Assets

xxyopen
novel-plus
≤ 5.1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References