CVE-2025-45890
Published: 20 June 2025
Summary
CVE-2025-45890 is a critical-severity Path Traversal (CWE-22) vulnerability in Xxyopen Novel-Plus. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2025-45890 is a directory traversal vulnerability, tracked as CWE-22, that affects novel plus versions prior to 5.1.0. The flaw is exposed through the filePath parameter and is rated 9.8 under CVSS 3.1, reflecting a network-accessible attack with low complexity, no required privileges, and no user interaction that can fully impact confidentiality, integrity, and availability.
An unauthenticated remote attacker can supply a crafted filePath value to traverse directories and execute arbitrary code on the server. Successful exploitation grants the attacker the same privileges as the application process, enabling complete compromise of the affected instance.
Public references consist of duplicate entries in a GitHub repository that document the issue, but no additional advisory text or patch details are supplied beyond the version boundary stated in the CVE description. The EPSS score has remained flat at 0.0621 with no material rise since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19049
Vulnerability details
Directory Traversal vulnerability in novel plus before v.5.1.0 allows a remote attacker to execute arbitrary code via the filePath parameter
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal vulnerability in novel-plus web application allows remote arbitrary code execution via filePath parameter, enabling exploitation of a public-facing application.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.