CVE-2025-8343
Published: 31 July 2025
Summary
CVE-2025-8343 is a low-severity Path Traversal (CWE-22) vulnerability in Viglet Shio. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-8343 is a path traversal vulnerability (CWE-22) in openviglet shio versions up to 0.3.8. The issue resides in the shStaticFilePreUpload function within the file shio-app/src/main/java/com/viglet/shio/api/staticfile/ShStaticFileAPI.java, where manipulation of the fileName argument allows attackers to traverse directories. Although described as critical in some sources, the CVSS v3.1 base score is 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact.
The vulnerability can be exploited remotely by authenticated users with low privileges (PR:L). Attackers can send crafted requests to the affected endpoint, leveraging the fileName parameter to access files outside the intended directory, potentially reading sensitive configuration or data files. No integrity or availability impacts are associated, and the exploit has been publicly disclosed, increasing the risk of immediate use.
Advisories and discussions are tracked in GitHub issues at https://github.com/openviglet/shio/issues/1028 and https://github.com/openviglet/shio/issues/1028#issue-3239418750, with additional details on VulDB at https://vuldb.com/?ctiid.318293, https://vuldb.com/?id.318293, and https://vuldb.com/?submit.617679. No specific patch or mitigation steps are detailed in the provided information, so practitioners should monitor these sources for updates and consider restricting access to the static file API endpoint.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23219
Vulnerability details
A vulnerability was found in openviglet shio up to 0.3.8. It has been rated as critical. This issue affects the function shStaticFilePreUpload of the file shio-app/src/main/java/com/viglet/shio/api/staticfile/ShStaticFileAPI.java. The manipulation of the argument fileName leads to path traversal. The attack may be…
more
initiated remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in remote web API enables exploitation of public-facing app (T1190) for unauthorized local file reads (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the fileName argument in shStaticFilePreUpload to block path traversal sequences before file access occurs.
Enforces access control policy so that requests using crafted fileName values cannot reach files outside the intended static-file directory.
Information-flow rules can be configured to prohibit directory-traversal flows from the static-file API endpoint to unauthorized file-system locations.