Cyber Resilience

CVE-2025-8343

LowPublic PoC

Published: 31 July 2025

Published
31 July 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0068 72.1th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8343 is a low-severity Path Traversal (CWE-22) vulnerability in Viglet Shio. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-8343 is a path traversal vulnerability (CWE-22) in openviglet shio versions up to 0.3.8. The issue resides in the shStaticFilePreUpload function within the file shio-app/src/main/java/com/viglet/shio/api/staticfile/ShStaticFileAPI.java, where manipulation of the fileName argument allows attackers to traverse directories. Although described as critical in some sources, the CVSS v3.1 base score is 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact.

The vulnerability can be exploited remotely by authenticated users with low privileges (PR:L). Attackers can send crafted requests to the affected endpoint, leveraging the fileName parameter to access files outside the intended directory, potentially reading sensitive configuration or data files. No integrity or availability impacts are associated, and the exploit has been publicly disclosed, increasing the risk of immediate use.

Advisories and discussions are tracked in GitHub issues at https://github.com/openviglet/shio/issues/1028 and https://github.com/openviglet/shio/issues/1028#issue-3239418750, with additional details on VulDB at https://vuldb.com/?ctiid.318293, https://vuldb.com/?id.318293, and https://vuldb.com/?submit.617679. No specific patch or mitigation steps are detailed in the provided information, so practitioners should monitor these sources for updates and consider restricting access to the static file API endpoint.

EU & UK References

Vulnerability details

A vulnerability was found in openviglet shio up to 0.3.8. It has been rated as critical. This issue affects the function shStaticFilePreUpload of the file shio-app/src/main/java/com/viglet/shio/api/staticfile/ShStaticFileAPI.java. The manipulation of the argument fileName leads to path traversal. The attack may be…

more

initiated remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in remote web API enables exploitation of public-facing app (T1190) for unauthorized local file reads (T1005).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-8344Same product: Viglet Shio
CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2024-54909Shared CWE-22
CVE-2026-3405Shared CWE-22
CVE-2025-41368Shared CWE-22

Affected Assets

viglet
shio
≤ 0.3.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the fileName argument in shStaticFilePreUpload to block path traversal sequences before file access occurs.

prevent

Enforces access control policy so that requests using crafted fileName values cannot reach files outside the intended static-file directory.

prevent

Information-flow rules can be configured to prohibit directory-traversal flows from the static-file API endpoint to unauthorized file-system locations.

References