CVE-2025-46822
Published: 21 May 2025
Summary
CVE-2025-46822 is a high-severity Absolute Path Traversal (CWE-36) vulnerability. Its CVSS base score is 7.7 (High).
Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-46822 affects the OsamaTaher/Java-springboot-codebase, a repository of Java and Spring Boot code examples and projects. The flaw stems from insufficient path traversal protections that permit absolute path traversal, enabling unauthorized access to sensitive internal files. It is tracked under CWE-36 and carries a CVSS 4.0 score of 7.7 reflecting network-reachable exploitation without authentication or user interaction.
An unauthenticated remote attacker can supply crafted paths to read arbitrary files on the server, exposing configuration data, source code, or other sensitive material stored within the application environment. The vulnerability exists in versions prior to commit c835c6f7799eacada4c0fc77e0816f250af01ad2.
The project’s GitHub security advisory GHSA-q6mm-cm37-w637 and the referenced commit document the patch that restores proper path validation. Exploitation probability rose from a low baseline to a peak EPSS score of 0.1148 on 2025-12-11 before receding to the current value of 0.0684, indicating increased interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16069
Vulnerability details
OsamaTaher/Java-springboot-codebase is a collection of Java and Spring Boot code snippets, applications, and projects. Prior to commit c835c6f7799eacada4c0fc77e0816f250af01ad2, insufficient path traversal mechanisms make absolute path traversal possible. This vulnerability allows unauthorized access to sensitive internal files. Commit c835c6f7799eacada4c0fc77e0816f250af01ad2 contains a…
more
patch for the issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.