EUVD-2025-17091
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
A missing protection against path traversal allows to access any file on the server.
Analysis
Critical path traversal vulnerability (CWE-23) that allows unauthenticated remote attackers to read, write, or delete arbitrary files on affected servers with a CVSS score of 9.8. The vulnerability requires no user interaction, has low attack complexity, and grants complete confidentiality, integrity, and availability impact. Without access to KEV status, EPSS scores, POC details, or specific CPE identifiers from the provided data, this appears to be a severe vulnerability affecting multiple server-side products; confirmation of active exploitation status and patch availability requires cross-referencing official vendor security advisories.
Technical Context
Path traversal (CWE-23) vulnerabilities occur when an application fails to properly sanitize or validate user-supplied file path input, allowing attackers to use directory traversal sequences (e.g., '../', '..\', URL encoding, unicode encoding) to escape intended directory boundaries and access files outside the application's root directory. The missing protection mechanism indicates insufficient input validation and/or output encoding on file system operations. This commonly affects web applications, APIs, file upload handlers, and any service that constructs file paths from user input without proper canonicalization or whitelist validation. The network-based attack vector (AV:N) suggests this is likely a web-accessible service or API endpoint, while AC:L (low complexity) indicates standard path traversal payloads suffice without race conditions or other timing dependencies.
Affected Products
Specific affected products, versions, and CPE identifiers were not provided in the vulnerability data supplied. To determine affected products, cross-reference CVE-2025-3365 against: (1) official NVD (NIST) CVE record for CPE strings, (2) vendor security advisories from major vendors (Apache, Nginx, Microsoft, etc.), (3) affected software repositories. Common affected categories typically include web servers (Apache HTTP Server, Nginx), web application frameworks (PHP, Java Spring, Node.js Express), file management services, API gateways, and CMS platforms. Request complete CVE details from nvd.nist.gov or vendor security bulletins to populate specific version ranges and CPE URIs.
Remediation
Without explicit patch version data from vendor advisories, general mitigation steps include: (1) IMMEDIATE: disable or restrict network access to affected services via firewall rules if patch is unavailable; (2) apply vendor-released security patches immediately upon availability (monitor vendor security pages and mailing lists); (3) implement input validation: use whitelist-based path validation, reject requests containing '../', '..\', and encoded variants; (4) canonicalize file paths before access (resolve to absolute paths and verify against allowed directory); (5) run services with least-privilege file system permissions; (6) use security modules (ModSecurity, OWASP CRS) to block path traversal patterns; (7) enable detailed audit logging of file access attempts. Consult vendor security advisories at vendor-security-page.com or CISA alerts for specific patch URLs and deployment guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today