CVE-2025-2744 – This critical vulnerability in ruoyi-vue-pro 2.... (How to Fix)

Q: What is the severity of CVE-2025-2744?

CVE-2025-2744 has a CVSS score of 5.4 (MEDIUM). This critical vulnerability in ruoyi-vue-pro 2.4.1 allows attackers to perform path traversal attacks through the material upload interface. By manipulating file upload parameters, attackers can potentially access or delete arbitrary files on the server. Organizations using this specific version of ruoyi-vue-pro with the vulnerable component exposed are affected.

📋 TL;DR

This critical vulnerability in ruoyi-vue-pro 2.4.1 allows attackers to perform path traversal attacks through the material upload interface. By manipulating file upload parameters, attackers can potentially access or delete arbitrary files on the server. Organizations using this specific version of ruoyi-vue-pro with the vulnerable component exposed are affected.

💻 Affected Systems

Products:

zhijiantianya ruoyi-vue-pro

Versions: 2.4.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the Material Upload Interface component to be enabled and accessible.

📦 What is this software?

Ruoyi Vue Pro by Iocoder

View all CVEs affecting Ruoyi Vue Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary file deletion, potentially leading to service disruption, data loss, or privilege escalation if critical system files are targeted.

🟠

Likely Case

Unauthorized file access or deletion in the web application directory, potentially exposing sensitive configuration files, user data, or enabling further attacks.

🟢

If Mitigated

Limited impact with proper file permission restrictions and input validation, potentially only affecting non-critical files within the application's scope.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available in GitHub repositories, making this easily exploitable by attackers with basic knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor did not respond to disclosure. Consider upgrading to newer versions if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation on the upload-news-image endpoint to reject any file paths containing directory traversal sequences (../, ..\, etc.)

Access Control Restriction

all

Restrict access to the /admin-api/mp/material/upload-news-image endpoint to authenticated administrators only and implement rate limiting.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests containing path traversal patterns to the vulnerable endpoint.
Disable or remove the Material Upload Interface component if not required for business operations.

🔍 How to Verify

Check if Vulnerable:

Test the /admin-api/mp/material/upload-news-image endpoint with file parameters containing path traversal sequences (e.g., ../../../etc/passwd) and observe if the server processes them.

Check Version:

Check application configuration or package.json for ruoyi-vue-pro version information.

Verify Fix Applied:

After implementing workarounds, retest with path traversal payloads to confirm they are properly rejected or sanitized.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /admin-api/mp/material/upload-news-image with file parameters containing ../ or ..\ sequences
Unusual file access patterns from web application user

Network Indicators:

HTTP POST requests to the vulnerable endpoint with suspicious file parameters
Unusual outbound file transfers from the application server

SIEM Query:

source="web_server" AND uri="/admin-api/mp/material/upload-news-image" AND (param="*../*" OR param="*..\\*")

📊 Metadata

CVE ID: CVE-2025-2744

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-22

EPSS Score: 0.18% exploit probability (39.6th percentile)

Published: March 25, 2025

Last Updated: July 14, 2025

🔗 References

https://github.com/uglory-gll/javasec/blob/main/ruoyi-vue-pro.md#7arbitrary-file-deletion-vulnerability---uploadnewsimage Exploit,Third Party Advisory
https://vuldb.com/?ctiid.300846 Permissions Required,VDB Entry
https://vuldb.com/?id.300846 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.519694 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2744, you might also want to check these: