CVE-2025-63298
Published: 30 October 2025
Summary
CVE-2025-63298 is a high-severity Path Traversal: '../filedir' (CWE-24) vulnerability in Mayurik Pet Grooming Management Software. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 34.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-supplied inputs to the admin/manage_website.php component, directly preventing path traversal payloads in crafted POST requests that enable arbitrary file deletion.
Mandates timely identification, reporting, and correction of the specific path traversal flaw (CWE-24) in the Pet Grooming Management System, eliminating the vulnerability.
Enforces least privilege for the web server process handling admin requests, limiting the scope of deletable files even if path traversal succeeds.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables arbitrary file deletion on the web server/OS, facilitating indicator removal via file deletion (T1070.004, T1107), data destruction (T1485), and endpoint DoS through application exploitation by deleting critical files like index.php (T1499.004).
NVD Description
A path traversal vulnerability was identified in SourceCodester Pet Grooming Management System 1.0, affecting the admin/manage_website.php component. An authenticated user with administrative privileges can leverage this flaw by submitting a specially crafted POST request, enabling the deletion of arbitrary files…
more
on the web server or underlying operating system.
Deeper analysisAI
CVE-2025-63298 is a path traversal vulnerability in the SourceCodester Pet Grooming Management System 1.0, specifically affecting the admin/manage_website.php component. It has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) and is associated with CWE-24. The flaw was published on 2025-10-30.
An authenticated user with administrative privileges can exploit this vulnerability by submitting a specially crafted POST request. Successful exploitation enables the deletion of arbitrary files on the web server or underlying operating system, potentially leading to significant availability impacts.
Mitigation details and further technical information, including proof-of-concept exploitation, are available in the referenced GitHub repository at https://github.com/z3rObyte/CVE-2025-63298. The affected software can be downloaded from https://www.sourcecodester.com/sites/default/files/download/mayuri_k/petgrooming_erp.zip for testing and verification. No vendor patches are detailed in the provided information.
Details
- CWE(s)