CVE-2025-69981
Published: 03 February 2026
Summary
CVE-2025-69981 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Frangoteam Fuxa. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces authentication and authorization mechanisms on the /api/upload endpoint to block unauthenticated remote attackers from uploading arbitrary files.
Validates all information inputs to the /api/upload endpoint, including file types, sizes, content, and destinations, to prevent unrestricted uploads leading to critical file overwrites or RCE.
Limits system functionality by prohibiting or restricting unnecessary unrestricted file upload capabilities exposed via the /api/upload endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted unauthenticated file upload to public API directly enables exploitation of public-facing app (T1190) and web shell deployment for code execution (T1505.003).
NVD Description
FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user…
more
database) to gain administrative access, or to upload malicious scripts to execute arbitrary code.
Deeper analysisAI
CVE-2025-69981 is an Unrestricted File Upload vulnerability in FUXA version 1.2.7, affecting the `/api/upload` API endpoint. This endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files to the server.
Unauthenticated attackers with network access can exploit the vulnerability due to its low complexity and lack of privileges required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8). Successful exploitation enables overwriting critical system files, such as the SQLite user database, to gain administrative access, or uploading malicious scripts to execute arbitrary code (CWE-434).
The vulnerable code is exposed in the FUXA repository at https://github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js#L193. No vendor advisories or patches are referenced in available details.
Details
- CWE(s)