Skip to main content

zhousg letao CVE-2025-8128

LOW
Improper Access Control (CWE-284)
2025-07-25 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:47 vuln.today

DescriptionCVE.org

A vulnerability, which was classified as critical, has been found in zhousg letao up to 7d8df0386a65228476290949e0413de48f7fbe98. This issue affects some unknown processing of the file routes\bf\product.js. The manipulation of the argument pictrdtz leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.

AnalysisAI

Unrestricted file upload vulnerability in zhousg letao allows authenticated remote attackers to upload arbitrary files via manipulation of the pictrdtz argument in routes/bf/product.js, leading to potential code execution or system compromise. The vulnerability affects rolling-release versions up to commit 7d8df0386a65228476290949e0413de48f7fbe98, with publicly available exploit code disclosed but limited real-world exploitation risk due to CVSS 2.1 score and low EPSS (0.07%, 20th percentile), suggesting this is primarily a design flaw rather than an actively weaponized threat.

Technical ContextAI

The vulnerability resides in the file upload handling mechanism within routes/bf/product.js, classified as CWE-284 (Improper Access Control). The file upload function fails to properly validate or restrict the pictrdtz parameter, which controls upload destination or file naming. The underlying issue is inadequate input validation and access control enforcement, allowing authenticated users to bypass intended upload restrictions. Given the product uses rolling releases via GitHub, no fixed version tags exist, making traditional patch management difficult. The GitHub issue references suggest this is an open-source Node.js or similar application framework handling e-commerce product image uploads without sufficient authorization checks.

Affected ProductsAI

zhousg letao is affected in all rolling-release versions up to commit 7d8df0386a65228476290949e0413de48f7fbe98 on the master branch (GitHub: github.com/zhousg/letao). No traditional version numbers exist due to rolling release model. The affected component is specifically the product image upload functionality in routes/bf/product.js. CPE string cannot be reliably assigned due to lack of formal versioning and GitHub-only distribution.

RemediationAI

Since zhousg letao uses rolling releases without tagged versions, pull the latest commits from the master branch after validating that the file upload validation in routes/bf/product.js has been corrected. Implement explicit input validation for the pictrdtz parameter to enforce whitelisted upload directories and filenames, rejecting path traversal sequences (../, ..\ , etc.). Apply authentication and authorization checks before any file upload operation, ensuring uploaded files are stored outside the web root with restricted execute permissions (chmod 644 or 640). As immediate compensating controls: restrict file uploads to authenticated users with explicit 'upload' role (currently partially implemented via PR:L but not granular enough), validate file MIME types against an allowlist, and implement file type verification beyond extension checking (use libmagic or equivalent). Disable execution of uploaded files in the upload directory via web server configuration (Apache .htaccess or nginx location blocks). Developers should review GitHub issue #13 and associated discussions for context; community patches may exist in pull requests.

Share

CVE-2025-8128 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy