Skip to main content

PerfreeBlog CVE-2025-60731

HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2025-10-24 cve@mitre.org
7.6
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
vuln.today AI
8.8 HIGH

Network-reachable low-complexity upload needing an authenticated account (PR:L); arbitrary file upload yields web-shell code execution, so C/I/A all High rather than the vendor's Low I/A.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:06 vuln.today

DescriptionCVE.org

PerfreeBlog v4.0.11 has a File Upload vulnerability in the installTheme function

AnalysisAI

Arbitrary file upload in PerfreeBlog v4.0.11 lets an authenticated attacker abuse the installTheme function to upload malicious files (e.g. a web shell), typically resulting in server-side code execution and full compromise of the blog host. The flaw is a classic unrestricted-upload issue (CWE-434) reachable over the network by a low-privileged authenticated user; publicly available exploit code exists in the form of a GitHub write-up, though EPSS exploitation probability remains low (0.28%, 20th percentile) and it is not listed in CISA KEV.

Technical ContextAI

PerfreeBlog is a lightweight open-source (Java/Spring-based) blogging and content-management system maintained at perfree.org.cn, identified precisely by cpe:2.3:a:perfree:perfreeblog:4.0.11. The vulnerability lives in the installTheme function, which is intended to accept and deploy theme packages. Rooted in CWE-434 (Unrestricted Upload of File with Dangerous Type), the function fails to validate the type, extension, or content of uploaded files, so an attacker can supply an executable server-side payload instead of a legitimate theme archive. Because themes are unpacked into a web-accessible or server-executable location, an uploaded script can subsequently be invoked to run attacker-controlled code within the application's context.

RemediationAI

No vendor-released patch identified at time of analysis; the only vendor reference is the project homepage (https://perfree.org.cn/), so monitor it and the project's release channel for a fixed build after 4.0.11 and upgrade as soon as one is published. As compensating controls until a patch is available: restrict access to the theme-installation endpoint/installTheme function to trusted administrators only (tighten role permissions so ordinary authors cannot reach it), place the admin panel behind a VPN or IP allowlist to remove untrusted network reachability (trade-off: complicates legitimate remote administration), and enforce server-side validation or a WAF rule that blocks upload of executable extensions (.jsp, .jspx, .php, etc.) to the theme path (trade-off: may block legitimate theme packages containing such files). Additionally, configure the theme/upload directory as non-executable at the web-server layer to neutralize dropped web shells (trade-off: could break themes that rely on server-side scripts). Reference the PoC write-up above to build detection signatures for anomalous installTheme requests.

Share

CVE-2025-60731 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy