CVE-2025-66410
Published: 01 December 2025
Summary
CVE-2025-66410 is a critical-severity Path Traversal (CWE-22) vulnerability in Gin-Vue-Admin Project Gin-Vue-Admin. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates CVE-2025-66410 by applying the vendor patch that fixes the path traversal in the FileMd5 parameter handling.
Information input validation prevents path traversal attacks by sanitizing and validating the FileMd5 parameter to restrict it to safe paths.
Access enforcement restricts file deletion operations to only authorized resources, limiting the impact of manipulated FileMd5 parameters on arbitrary server files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a path traversal in a public-facing web application (Gin-vue-admin) enabling remote unauthenticated arbitrary file and folder deletion (T1190 for exploitation; T1070.004 for file deletion capability).
NVD Description
Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete…
more
any file and folder.
Deeper analysisAI
CVE-2025-66410 is a path traversal vulnerability (CWE-22) affecting Gin-vue-admin, a backstage management system built on Vue and Gin. Versions 2.8.6 and earlier are vulnerable, where attackers can manipulate the 'FileMd5' parameter to delete arbitrary files and folders on the server, potentially leading to resource damage or service unavailability. The issue was published on 2025-12-01 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), reflecting its critical severity due to high impacts on integrity and availability with no confidentiality loss.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction. By controlling the 'FileMd5' parameter, they gain the ability to target and delete any server file or folder, enabling destructive actions such as removing critical system files, application data, or configuration, which could render the server inoperable or cause significant operational disruption.
Mitigation details are provided in the project's GitHub security advisory at https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-jrhg-82w2-vvj7, along with a fixing commit at https://github.com/flipped-aurora/gin-vue-admin/commit/ee8d8d7e04d9c38a35a6969f20e75213e84f57c6. Security practitioners should apply the patch by updating to a version beyond 2.8.6 and review access to endpoints handling the 'FileMd5' parameter.
Details
- CWE(s)