CVE-2025-56816
Published: 24 September 2025
Summary
CVE-2025-56816 is a high-severity Path Traversal (CWE-22) vulnerability in Running-Elephant Datart. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the directory traversal and unsafe SnakeYAML deserialization flaw by identifying, reporting, and correcting the vulnerability to prevent arbitrary YAML uploads and RCE.
Enforces validation and sanitization of file upload paths and YAML content to block directory traversal to config/jdbc-driver-ext.yml and malicious deserialization payloads.
Monitors the integrity of critical configuration files like jdbc-driver-ext.yml to detect unauthorized modifications from directory traversal exploits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability involves directory traversal in a web application's file upload endpoint (/api/v1/files/viz/image), enabling attackers to overwrite the config/jdbc-driver-ext.yml file with malicious YAML. The unsafe SnakeYAML deserialization parses this content, allowing arbitrary class instantiation and potential RCE, which aligns with exploitation of a public-facing application.
NVD Description
Datart 1.0.0-rc.3 is vulnerable to Directory Traversal. The configuration file handling of the application allows attackers to upload arbitrary YAML files to the config/jdbc-driver-ext.yml path. The application parses this file using SnakeYAML's unsafe load() or loadAs() method without input sanitization.…
more
This allows deserialization of attacker-controlled YAML content, leading to arbitrary class instantiation. Under certain conditions, this can be exploited to achieve remote code execution (RCE).
Deeper analysisAI
Datart 1.0.0-rc.3 is vulnerable to a directory traversal flaw (CWE-22) in its configuration file handling, combined with unsafe deserialization (CWE-502). Attackers can upload arbitrary YAML files to the config/jdbc-driver-ext.yml path. The application parses these files using SnakeYAML's unsafe load() or loadAs() methods without input sanitization, enabling deserialization of attacker-controlled YAML content and arbitrary class instantiation. Under certain conditions, this leads to remote code execution (RCE).
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating exploitation is possible over the network by unauthenticated attackers (PR:N) with low attack complexity (AC:L), though it requires user interaction (UI:R). Successful attacks can achieve high impacts on confidentiality, integrity, and availability, potentially resulting in RCE on the affected system.
References include the Datart GitHub repository at https://github.com/running-elephant/datart and a related repository at https://github.com/xiaoxiaoranxxx/CVE-2025-56815, which may contain additional details on advisories or patches for mitigation.
Details
- CWE(s)