Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A missing protection against path traversal allows to access any file on the server.
AnalysisAI
Critical path traversal vulnerability (CWE-23) that allows unauthenticated remote attackers to read, write, or delete arbitrary files on affected servers with a CVSS score of 9.8. The vulnerability requires no user interaction, has low attack complexity, and grants complete confidentiality, integrity, and availability impact. Without access to KEV status, EPSS scores, POC details, or specific CPE identifiers from the provided data, this appears to be a severe vulnerability affecting multiple server-side products; confirmation of active exploitation status and patch availability requires cross-referencing official vendor security advisories.
Technical ContextAI
Path traversal (CWE-23) vulnerabilities occur when an application fails to properly sanitize or validate user-supplied file path input, allowing attackers to use directory traversal sequences (e.g., '../', '..\', URL encoding, unicode encoding) to escape intended directory boundaries and access files outside the application's root directory. The missing protection mechanism indicates insufficient input validation and/or output encoding on file system operations. This commonly affects web applications, APIs, file upload handlers, and any service that constructs file paths from user input without proper canonicalization or whitelist validation. The network-based attack vector (AV:N) suggests this is likely a web-accessible service or API endpoint, while AC:L (low complexity) indicates standard path traversal payloads suffice without race conditions or other timing dependencies.
RemediationAI
Without explicit patch version data from vendor advisories, general mitigation steps include: (1) IMMEDIATE: disable or restrict network access to affected services via firewall rules if patch is unavailable; (2) apply vendor-released security patches immediately upon availability (monitor vendor security pages and mailing lists); (3) implement input validation: use whitelist-based path validation, reject requests containing '../', '..\', and encoded variants; (4) canonicalize file paths before access (resolve to absolute paths and verify against allowed directory); (5) run services with least-privilege file system permissions; (6) use security modules (ModSecurity, OWASP CRS) to block path traversal patterns; (7) enable detailed audit logging of file access attempts. Consult vendor security advisories at vendor-security-page.com or CISA alerts for specific patch URLs and deployment guidance.
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17091