OpenViglet Shio CVE-2025-8343
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in openviglet shio up to 0.3.8. It has been rated as critical. This issue affects the function shStaticFilePreUpload of the file shio-app/src/main/java/com/viglet/shio/api/staticfile/ShStaticFileAPI.java. The manipulation of the argument fileName leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Path traversal in OpenViglet Shio up to version 0.3.8 allows authenticated remote attackers to read arbitrary files by manipulating the fileName parameter in the shStaticFilePreUpload API endpoint. The vulnerability has low practical impact (CVSS 2.1, EPSS 0.22%) despite being rated critical in severity classification, as it requires prior authentication and provides only limited confidentiality exposure. Public exploit code is available.
Technical ContextAI
The vulnerability exists in the ShStaticFileAPI.java file, specifically the shStaticFilePreUpload function which processes file upload requests. The root cause is improper input validation on the fileName parameter (CWE-22: Improper Limitation of a Pathname to a Restricted Directory), allowing attackers to use path traversal sequences (e.g., ../) to access files outside the intended upload directory. This is a Java-based REST API endpoint that fails to canonicalize or restrict file paths before file operations. The affected product is OpenViglet Shio, a Java content management system, identified by CPE cpe:2.3:a:viglet:shio:*:*:*:*:*:*:*:*.
RemediationAI
Upgrade OpenViglet Shio to a patched version released after 0.3.8. Check the official GitHub repository (https://github.com/openviglet/shio) for the latest release. Until patching is possible, implement the following compensating controls: restrict network access to the /api/staticfile endpoint to trusted networks or a reverse proxy with strict input validation; enforce strong authentication policies to minimize the number of users who can initiate file uploads; implement a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (../, ..\ patterns) in the fileName parameter; enable file system access controls to limit the shio application process to read-only access outside its designated upload directory, preventing full file system traversal even if the API vulnerability is exploited. Note that WAF rules may create false positives if legitimate filenames contain similar patterns, requiring careful testing before production deployment.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today