PerfreeBlog
CVE-2025-60729
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-exploitable path traversal with no auth or interaction; C:L reflects constrained file read scope absent evidence of unrestricted filesystem access.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
PerfreeBlog v4.0.11 has an arbitrary file read vulnerability in the validThemeFilePath function
AnalysisAI
Arbitrary file read in PerfreeBlog v4.0.11 allows unauthenticated remote attackers to read files outside the intended web root by bypassing path validation in the validThemeFilePath function. The vulnerability is network-exploitable with no authentication or user interaction required, and a public proof-of-concept is documented on GitHub. No active exploitation has been confirmed by CISA KEV, and the EPSS score of 0.33% suggests limited observed exploitation activity despite the POC's existence.
Technical ContextAI
PerfreeBlog is a Java-based blogging platform developed by Perfree (perfree.org.cn), identified via CPE cpe:2.3:a:perfree:perfreeblog:4.0.11. The vulnerability resides in the validThemeFilePath function, which is responsible for validating file paths when serving theme-related assets. The assigned CWE is CWE-126 (Buffer Over-read), though this classification appears to be a mislabeling - the described impact (arbitrary file read via path validation bypass) is more consistent with CWE-22 (Path Traversal / Improper Limitation of a Pathname to a Restricted Directory). This discrepancy suggests NVD or reporter tagging error and should be treated as an informational inconsistency. The root cause is likely insufficient canonicalization or allowlist enforcement in the path validation routine, enabling directory traversal sequences (e.g., ../) to escape the intended theme file directory and access arbitrary server files.
RemediationAI
No vendor-released patch has been identified at the time of analysis - no fixed version number appears in the available reference data. The NVD reference points to a researcher-authored PoC document at the GitHub repository (https://github.com/dengxmenglihua/cve/blob/main/PerfreeBlog/File%20Read/Arbitrary%20File%20Read%20Vulnerability%20in%20PerfreeBlog%20System.md) and the vendor site (https://perfree.org.cn/), but no patched release is cited. Administrators should check the official Perfree release page for updates beyond 4.0.11. As an immediate compensating control, restrict network access to theme file serving endpoints at the reverse proxy or WAF layer, blocking path traversal patterns (../, %2e%2e, URL-encoded variants) in file path parameters. Additionally, run the PerfreeBlog application process under a dedicated low-privilege OS user with filesystem access scoped strictly to the web root and theme directories, limiting the blast radius of a successful read. Disabling the theme file preview or upload functionality if not operationally required eliminates the attack surface entirely. Trade-off: WAF rules may produce false positives on legitimate theme file requests using non-standard path structures.
More in Perfreeblog
View allIn PerfreeBlog version 4.0.11, regular users can exploit the arbitrary file upload vulnerability in the attach component
Arbitrary file deletion in PerfreeBlog 4.0.11 lets attackers remove files outside the intended theme directory by abusin
Stored cross-site scripting vulnerability exists in PerfreeBlog v4.0.11 in the website name field of the backend system
Arbitrary file upload in PerfreeBlog 4.0.11 lets an authenticated user abuse the installPlugin function to upload malici
Arbitrary file upload in PerfreeBlog v4.0.11 lets an authenticated attacker abuse the installTheme function to upload ma
PerfreeBlog v4.0.11 has an arbitrary file read vulnerability in the getThemeFileContent function. Rated high severity (C
PerfreeBlog v4.0.11 has a directory traversal vulnerability in the getThemeFilesByName function. Rated high severity (CV
A vulnerability has been found in PerfreeBlog 4.0.11 and classified as problematic. Rated medium severity (CVSS 6.3), th
Same weakness CWE-126 – Buffer Over-read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today