Login Sign Up

CVE-2025-2742

5.4 MEDIUM
Path Traversal

📋 TL;DR

This critical vulnerability in ruoyi-vue-pro 2.4.1 allows remote attackers to perform path traversal attacks through the material upload interface. By manipulating file upload parameters, attackers can potentially delete arbitrary files on the server. All systems running the vulnerable version with the material upload interface exposed are affected.

💻 Affected Systems

Products:
  • zhijiantianya ruoyi-vue-pro
Versions: 2.4.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the material upload interface to be accessible and functional.

📦 What is this software?

Ruoyi Vue Pro by Iocoder

View all CVEs affecting Ruoyi Vue Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, leading to service disruption, data loss, or privilege escalation.

🟠

Likely Case

Unauthorized deletion of application files, configuration files, or user-uploaded content, causing service disruption and potential data loss.

🟢

If Mitigated

Limited impact with proper file permission restrictions and input validation in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details are publicly available on GitHub, making this easily exploitable by attackers with access to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None

Restart Required: No

Instructions:

No official patch available. Vendor did not respond to disclosure. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation on the upload-permanent material endpoint to reject any file paths containing directory traversal sequences.

Access Control Restriction

all

Restrict access to the /admin-api/mp/material/upload-permanent endpoint to authorized users only and implement rate limiting.

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block path traversal patterns in requests to the vulnerable endpoint.
  • Monitor and audit file deletion activities on the server and set up alerts for suspicious patterns.

🔍 How to Verify

Check if Vulnerable:

Check if running ruoyi-vue-pro version 2.4.1 and if the /admin-api/mp/material/upload-permanent endpoint is accessible. Test with controlled path traversal payloads.

Check Version:

Check application configuration files or deployment manifests for version information.

Verify Fix Applied:

Verify that path traversal attempts are blocked and that file operations are restricted to intended directories.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file deletion events in application logs
  • Failed or successful path traversal attempts in access logs

Network Indicators:

  • HTTP requests to /admin-api/mp/material/upload-permanent with suspicious file parameters containing ../ sequences

SIEM Query:

source="application_logs" AND (event="file_deletion" OR message="../")

📊 Metadata

CVE ID: CVE-2025-2742
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CWE: CWE-22
EPSS Score: 0.38% exploit probability (58.7th percentile)
Published: March 25, 2025
Last Updated: July 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2742, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)