Login Sign Up

CVE-2025-4258

6.3 MEDIUM

📋 TL;DR

This critical vulnerability in Youkefu allows remote attackers to upload arbitrary files without restrictions via the MediaController.java Upload function. Attackers can potentially upload malicious files like webshells to gain unauthorized access or execute code. All users of Youkefu up to version 4.2.0 are affected.

💻 Affected Systems

Products:
  • zhangyanbo2007 youkefu
Versions: up to 4.2.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the MediaController.java file in the webim component. Any deployment using vulnerable versions is affected.

📦 What is this software?

Youkefu by Zhangyanbo2007

View all CVEs affecting Youkefu →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Upload of webshells or malware leading to unauthorized access, data exfiltration, and potential ransomware deployment.

🟢

If Mitigated

Limited impact if file uploads are blocked at network perimeter or strict file validation is implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available in GitHub repositories. Attack requires network access to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Monitor the Youkefu GitHub repository for updates. Consider upgrading to any version above 4.2.0 if available.

🔧 Temporary Workarounds

Implement File Upload Validation

all

Add server-side validation to restrict file types, extensions, and content. Implement file size limits and scan uploaded files.

Web Application Firewall Rules

all

Configure WAF to block requests to the vulnerable upload endpoint or restrict file upload patterns.

🧯 If You Can't Patch

  • Isolate the Youkefu instance from the internet and restrict network access to trusted IPs only.
  • Implement strict file system permissions and monitor for unusual file uploads in the upload directory.

🔍 How to Verify

Check if Vulnerable:

Check the Youkefu version. If version is 4.2.0 or earlier, it is vulnerable. Review the MediaController.java file for missing upload validation.

Check Version:

Check the application version in the web interface or configuration files. For Java applications, review pom.xml or similar version files.

Verify Fix Applied:

Test file upload functionality with restricted file types (e.g., .php, .jsp) to ensure they are rejected. Verify file validation is implemented.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to /upload endpoints
  • Requests with suspicious file extensions (.php, .jsp, .exe)
  • Large number of upload requests from single IP

Network Indicators:

  • HTTP POST requests to upload endpoints with malicious file content
  • Unusual outbound connections from the Youkefu server after upload

SIEM Query:

source="youkefu" AND (url_path="/upload" OR file_extension IN ("php", "jsp", "exe"))

📊 Metadata

CVE ID: CVE-2025-4258
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-284
EPSS Score: 0.09% exploit probability (26.1th percentile)
Published: May 5, 2025
Last Updated: October 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4258, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)