CVE-2025-56816
Published: 24 September 2025
Summary
CVE-2025-56816 is a high-severity Path Traversal (CWE-22) vulnerability in Running-Elephant Datart. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Datart 1.0.0-rc.3 contains a directory traversal flaw in its configuration file handling that permits attackers to upload arbitrary YAML content to the path config/jdbc-driver-ext.yml. The application then deserializes this file using SnakeYAML's unsafe load or loadAs methods without any input validation, enabling instantiation of attacker-controlled classes and, under suitable conditions, remote code execution. The issue is tracked under both CWE-22 and CWE-502 and carries a CVSS 3.1 score of 8.8.
An unauthenticated network attacker can trigger the flaw with user interaction, supplying a malicious YAML file that results in arbitrary code execution and full compromise of confidentiality, integrity, and availability on the affected instance. The referenced Datart repository and the related CVE-2025-56815 disclosure provide no public advisories or patch details.
EPSS remains flat at 0.0273 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31012
Vulnerability details
Datart 1.0.0-rc.3 is vulnerable to Directory Traversal. The configuration file handling of the application allows attackers to upload arbitrary YAML files to the config/jdbc-driver-ext.yml path. The application parses this file using SnakeYAML's unsafe load() or loadAs() method without input sanitization.…
more
This allows deserialization of attacker-controlled YAML content, leading to arbitrary class instantiation. Under certain conditions, this can be exploited to achieve remote code execution (RCE).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability involves directory traversal in a web application's file upload endpoint (/api/v1/files/viz/image), enabling attackers to overwrite the config/jdbc-driver-ext.yml file with malicious YAML. The unsafe SnakeYAML deserialization parses this content, allowing arbitrary class instantiation and potential RCE, which aligns with exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the directory traversal and unsafe SnakeYAML deserialization flaw by identifying, reporting, and correcting the vulnerability to prevent arbitrary YAML uploads and RCE.
Enforces validation and sanitization of file upload paths and YAML content to block directory traversal to config/jdbc-driver-ext.yml and malicious deserialization payloads.
Monitors the integrity of critical configuration files like jdbc-driver-ext.yml to detect unauthorized modifications from directory traversal exploits.