CVE-2025-14521 – This CVE describes a path traversal vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-14521?

CVE-2025-14521 has a CVSS score of 4.3 (MEDIUM). This CVE describes a path traversal vulnerability in baowzh hfly's admin interface that allows attackers to read arbitrary files on the server. The vulnerability exists in the /admin/index.php/datafile/download endpoint where the filename parameter can be manipulated to access files outside the intended directory. This affects all deployments of baowzh hfly up to commit 638ff9abe9078bc977c132b37acbe1900b63491c.

📋 TL;DR

This CVE describes a path traversal vulnerability in baowzh hfly's admin interface that allows attackers to read arbitrary files on the server. The vulnerability exists in the /admin/index.php/datafile/download endpoint where the filename parameter can be manipulated to access files outside the intended directory. This affects all deployments of baowzh hfly up to commit 638ff9abe9078bc977c132b37acbe1900b63491c.

💻 Affected Systems

Products:

baowzh hfly

Versions: All versions up to commit 638ff9abe9078bc977c132b37acbe1900b63491c

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: The product uses rolling releases, so specific version numbers aren't available. All instances with the vulnerable code are affected.

📦 What is this software?

Hfly by Baowzh

View all CVEs affecting Hfly →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files like /etc/passwd, configuration files containing credentials, or application source code, potentially leading to full system compromise.

🟠

Likely Case

Unauthorized reading of sensitive application files, configuration data, or user information stored on the server.

🟢

If Mitigated

Limited impact with proper file permissions and web server configuration restricting access to sensitive directories.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but require network access; risk depends on internal network segmentation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details are available in GitHub repositories. The vulnerability requires no authentication and uses simple path traversal techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - vendor did not respond

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider applying community fixes or migrating to alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to the filename parameter to prevent directory traversal sequences

Modify /admin/index.php/datafile/download to validate filename parameter against allowed patterns

Web Server Access Restrictions

all

Configure web server to restrict access to sensitive directories

Add appropriate .htaccess rules or nginx location blocks to limit file access

🧯 If You Can't Patch

Implement WAF rules to block path traversal patterns in requests
Restrict network access to the admin interface using firewall rules

🔍 How to Verify

Check if Vulnerable:

Test if you can access /admin/index.php/datafile/download?filename=../../../etc/passwd (or similar traversal patterns)

Check Version:

Check git commit hash: git log --oneline -1

Verify Fix Applied:

Attempt the same traversal attack after implementing fixes; should return error or empty response

📡 Detection & Monitoring

Log Indicators:

Multiple requests to /admin/index.php/datafile/download with ../ patterns in parameters
Unusual file access patterns from single IPs

Network Indicators:

HTTP requests containing directory traversal sequences (../, ..\, etc.)

SIEM Query:

web.url:*datafile/download* AND (web.param.filename:*../* OR web.param.filename:*..\*)

📊 Metadata

CVE ID: CVE-2025-14521

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-22

EPSS Score: 0.12% exploit probability (31.2th percentile)

Published: December 11, 2025

Last Updated: January 9, 2026

🔗 References

https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/PHP-based%20travel%20website-CMS/PHP-based%20travel%20website-CMS%20download%20filename%20Arbitrary%20file%20reading.md Broken Link
https://vuldb.com/?ctiid.335859 Permissions Required,VDB Entry
https://vuldb.com/?id.335859 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.702949 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14521, you might also want to check these: