Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable traversal (PR:N/UI:N/AC:L) yielding arbitrary file read, so C:H but no integrity or availability impact (I:N/A:N).
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Directory traversal in Follett Software's Destiny Library Manager 22_0_2_rc1 and fixed in v.22.5 AU1 allows remote attackers to read arbitrary system and application files via the image parameter
AnalysisAI
Arbitrary file disclosure in Follett Software's Destiny Library Manager (version 22_0_2_rc1) lets remote unauthenticated attackers read system and application files by supplying directory-traversal sequences in the 'image' parameter. Publicly available exploit code exists (a Medium write-up documenting the unauthenticated LFI), and CISA's SSVC framework classifies exploitation as proof-of-concept and automatable, though EPSS remains modest at 0.46% (64th percentile). The flaw is fixed in v.22.5 AU1.
Technical ContextAI
Destiny Library Manager is Follett's web-based library circulation and cataloging platform widely deployed across K-12 schools and districts. The vulnerability is a classic CWE-22 path/directory traversal: an HTTP-exposed 'image' parameter is used to build a filesystem path without properly canonicalizing or restricting it to an intended base directory, so traversal sequences (e.g., '../../') escape the web root and resolve to arbitrary files the application's service account can read. Because the parameter is reachable pre-authentication, this manifests as an unauthenticated local file inclusion/read against the application server. The CPE data provided is a placeholder ('cpe:2.3:a:n/a:n/a:*') and the EUVD affected-version field is 'n/a', so the exact affected build must be taken from the CVE description itself (22_0_2_rc1).
RemediationAI
Upgrade to the patched release - Vendor-released patch: v.22.5 AU1 - which remediates the traversal in the image-handling code; consult Follett (http://follett.com) for the district-specific update path and any intermediate builds. Until patched, restrict exposure by placing Destiny behind a VPN or IP allow-list so the application is not directly internet-reachable, and deploy a WAF or reverse-proxy rule to reject requests whose 'image' parameter contains traversal sequences or encoded variants ('../', '..%2f', '%2e%2e', absolute paths, null bytes); note WAF filtering is a mitigation, not a fix, and can be bypassed by novel encodings. Additionally ensure the Destiny service account runs with least privilege so that even a successful traversal reads as little sensitive data as possible, and monitor web logs for anomalous 'image' parameter values. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-45145 and the public technical write-up at https://medium.com/@jaredutahusa/cve-2025-45145-unauthenticated-local-file-inclusion-in-fsc-destiny-40a3f11b3a4d.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209923
GHSA-99w5-3688-qwj6