CVE-2025-8753 – This critical vulnerability in litemall allows ... (How to Fix)

Q: What is the severity of CVE-2025-8753?

CVE-2025-8753 has a CVSS score of 5.4 (MEDIUM). This critical vulnerability in litemall allows attackers to perform path traversal attacks via the delete function in the file handler component. Remote attackers can manipulate the 'key' parameter to delete arbitrary files on the server. All users running litemall versions up to 1.8.0 are affected.

📋 TL;DR

This critical vulnerability in litemall allows attackers to perform path traversal attacks via the delete function in the file handler component. Remote attackers can manipulate the 'key' parameter to delete arbitrary files on the server. All users running litemall versions up to 1.8.0 are affected.

💻 Affected Systems

Products:

linlinjava litemall

Versions: up to 1.8.0

Operating Systems: All platforms running litemall

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using the default configuration are vulnerable. The vulnerability exists in the admin storage delete functionality.

📦 What is this software?

Litemall by Linlinjava

View all CVEs affecting Litemall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, leading to service disruption, data loss, or privilege escalation.

🟠

Likely Case

Unauthorized deletion of application files, configuration files, or user data causing service disruption and data loss.

🟢

If Mitigated

Limited impact with proper file permission restrictions and input validation, potentially only affecting non-critical files.

🌐 Internet-Facing: HIGH - Attack can be launched remotely without authentication, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but attack surface is reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit has been publicly disclosed in GitHub issues. Attack requires access to admin storage delete endpoint but does not require authentication to the vulnerability itself.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.1 or later

Vendor Advisory: https://github.com/linlinjava/litemall/issues/564

Restart Required: No

Instructions:

1. Update litemall to version 1.8.1 or later. 2. Check the GitHub issue for specific patch details. 3. Verify the fix by testing the delete functionality with path traversal attempts.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to reject file paths containing directory traversal sequences

Implement validation to reject paths containing '../', '..\\', or absolute paths

Access Restriction

all

Restrict access to the /admin/storage/delete endpoint using network controls or authentication

Configure firewall rules or web server ACLs to limit access to admin endpoints

🧯 If You Can't Patch

Implement strict file permission controls to limit what files the application user can delete
Deploy a web application firewall (WAF) with path traversal protection rules

🔍 How to Verify

Check if Vulnerable:

Test the /admin/storage/delete endpoint with path traversal payloads like '../../etc/passwd' in the key parameter

Check Version:

Check litemall version in application configuration or via package manager: typically in pom.xml for version

Verify Fix Applied:

Attempt the same path traversal attacks after patching; they should be rejected with proper error handling

📡 Detection & Monitoring

Log Indicators:

Unusual delete operations with path traversal patterns in request logs
Failed delete attempts with error messages related to invalid paths
Multiple delete requests to admin storage endpoint

Network Indicators:

HTTP requests to /admin/storage/delete containing '../' sequences
Unusual patterns of file deletion requests

SIEM Query:

source="web_logs" AND uri="/admin/storage/delete" AND (request_body CONTAINS "../" OR request_body CONTAINS "..\\")

📊 Metadata

CVE ID: CVE-2025-8753

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-22

EPSS Score: 0.05% exploit probability (16.6th percentile)

Published: August 9, 2025

Last Updated: September 11, 2025

🔗 References

https://github.com/linlinjava/litemall/issues/564 Exploit,Issue Tracking,Vendor Advisory
https://github.com/linlinjava/litemall/issues/564#issue-3267670352 Exploit,Issue Tracking,Vendor Advisory
https://vuldb.com/?ctiid.319250 Permissions Required,VDB Entry
https://vuldb.com/?id.319250 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.623859 Third Party Advisory,VDB Entry
https://github.com/linlinjava/litemall/issues/564 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8753, you might also want to check these: