CVE-2025-31131
📋 TL;DR
YesWiki versions before 4.5.2 contain a path traversal vulnerability in the squelette parameter that allows attackers to read arbitrary files on the server. This affects all YesWiki installations running vulnerable versions. Attackers can exploit this without authentication to access sensitive system files.
💻 Affected Systems
- YesWiki
📦 What is this software?
Yeswiki by Yeswiki
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive configuration files (database credentials, API keys, SSH keys), leading to data exfiltration, privilege escalation, or lateral movement.
Likely Case
Exposure of sensitive configuration files, source code, and potentially user data stored in accessible files.
If Mitigated
Limited impact if file permissions restrict access to sensitive files, but still exposes readable files.
🎯 Exploit Status
The advisory includes technical details that make exploitation straightforward. Path traversal vulnerabilities are commonly weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.2
Vendor Advisory: https://github.com/YesWiki/yeswiki/security/advisories/GHSA-w34w-fvp3-68xm
Restart Required: No
Instructions:
1. Backup your YesWiki installation and database
2. Download YesWiki 4.5.2 or newer from the official repository
3. Replace all files with the new version (except custom configurations)
4. Verify the installation works correctly
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to filter path traversal sequences in the squelette parameter
Modify the affected PHP file to sanitize the squelette parameter by removing '../', '..\', and similar sequences
Web Application Firewall Rule
allBlock requests containing path traversal patterns in the squelette parameter
Add WAF rule to block requests with '../', '..\', or encoded equivalents in the squelette parameter
🧯 If You Can't Patch
- Implement strict file permissions to limit readable files to only those necessary for YesWiki operation
- Deploy a web application firewall with path traversal detection rules
🔍 How to Verify
Check if Vulnerable:
Check if your YesWiki version is below 4.5.2. Attempt to access a known file using path traversal in the squelette parameter.Check Version:
Check the version.php file or YesWiki admin panel for version informationVerify Fix Applied:
After upgrading to 4.5.2, attempt the same path traversal attack. It should return an error or the legitimate file only.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with '../', '..\', or encoded equivalents in the squelette parameter
- Unusual file access patterns from web server process
Network Indicators:
- HTTP requests containing path traversal sequences targeting the vulnerable endpoint
SIEM Query:
web.url:*squelette=*..%2F* OR web.url:*squelette=*..%5C*