zhousg letao CVE-2025-8128
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as critical, has been found in zhousg letao up to 7d8df0386a65228476290949e0413de48f7fbe98. This issue affects some unknown processing of the file routes\bf\product.js. The manipulation of the argument pictrdtz leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.
AnalysisAI
Unrestricted file upload vulnerability in zhousg letao allows authenticated remote attackers to upload arbitrary files via manipulation of the pictrdtz argument in routes/bf/product.js, leading to potential code execution or system compromise. The vulnerability affects rolling-release versions up to commit 7d8df0386a65228476290949e0413de48f7fbe98, with publicly available exploit code disclosed but limited real-world exploitation risk due to CVSS 2.1 score and low EPSS (0.07%, 20th percentile), suggesting this is primarily a design flaw rather than an actively weaponized threat.
Technical ContextAI
The vulnerability resides in the file upload handling mechanism within routes/bf/product.js, classified as CWE-284 (Improper Access Control). The file upload function fails to properly validate or restrict the pictrdtz parameter, which controls upload destination or file naming. The underlying issue is inadequate input validation and access control enforcement, allowing authenticated users to bypass intended upload restrictions. Given the product uses rolling releases via GitHub, no fixed version tags exist, making traditional patch management difficult. The GitHub issue references suggest this is an open-source Node.js or similar application framework handling e-commerce product image uploads without sufficient authorization checks.
Affected ProductsAI
zhousg letao is affected in all rolling-release versions up to commit 7d8df0386a65228476290949e0413de48f7fbe98 on the master branch (GitHub: github.com/zhousg/letao). No traditional version numbers exist due to rolling release model. The affected component is specifically the product image upload functionality in routes/bf/product.js. CPE string cannot be reliably assigned due to lack of formal versioning and GitHub-only distribution.
RemediationAI
Since zhousg letao uses rolling releases without tagged versions, pull the latest commits from the master branch after validating that the file upload validation in routes/bf/product.js has been corrected. Implement explicit input validation for the pictrdtz parameter to enforce whitelisted upload directories and filenames, rejecting path traversal sequences (../, ..\ , etc.). Apply authentication and authorization checks before any file upload operation, ensuring uploaded files are stored outside the web root with restricted execute permissions (chmod 644 or 640). As immediate compensating controls: restrict file uploads to authenticated users with explicit 'upload' role (currently partially implemented via PR:L but not granular enough), validate file MIME types against an allowlist, and implement file type verification beyond extension checking (use libmagic or equivalent). Disable execution of uploaded files in the upload directory via web server configuration (Apache .htaccess or nginx location blocks). Developers should review GitHub issue #13 and associated discussions for context; community patches may exist in pull requests.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today