RuoYi
CVE-2025-7906
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1 and classified as critical. This issue affects the function uploadFile of the file ruoyi-admin/src/main/java/com/ruoyi/web/controller/common/CommonController.java. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
RuoYi versions up to 4.8.1 allow authenticated users to upload files without restriction via the CommonController.uploadFile function, enabling arbitrary file upload. The vulnerability requires valid credentials (PR:L per CVSS vector) but permits remote exploitation with low complexity. Public exploit code exists; however, EPSS score of 0.05% (15th percentile) suggests minimal real-world exploitation despite public disclosure, indicating the threat is constrained by authentication requirements or other practical barriers.
Technical ContextAI
The vulnerability resides in the CommonController.uploadFile method (ruoyi-admin/src/main/java/com/ruoyi/web/controller/common/CommonController.java) within the RuoYi administrative framework, a Java-based enterprise resource planning system. The root cause is classified as CWE-284 (Improper Access Control), specifically the absence of file type validation or upload restrictions on the File parameter. The uploadFile endpoint fails to implement proper input sanitization or Content-Type verification, allowing attackers with valid session credentials to circumvent intended file upload restrictions. This is a common pattern in Java web applications where file upload handlers lack sufficient validation logic.
RemediationAI
Upgrade RuoYi to version 4.8.2 or later if available from the official yangzongzhuan/RuoYi GitHub repository. If a patched version is not immediately available, implement server-side file type validation by: (1) Maintain an allowlist of permitted file extensions and MIME types; (2) Validate uploaded file content against declared type (magic bytes verification, not just extension checking); (3) Store uploads outside the web root or in a non-executable directory; (4) Set restrictive file permissions (chmod 644 or equivalent); (5) Restrict the uploadFile endpoint to specific administrative roles via Spring Security configuration if role-based access is not already enforced. Additionally, monitor uploads for suspicious file patterns and consider implementing file size limits. Refer to the official RuoYi GitHub issues page (https://github.com/yangzongzhuan/RuoYi/issues/296) for patch release notes and configuration guidance.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today