Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file writes when an authenticated user on the web server manipulates file path.
AnalysisAI
Path traversal vulnerability (CWE-22) in a web application that allows authenticated users with high privileges to write arbitrary files to the system by manipulating file paths. While the CVSS score of 7.2 indicates moderate-to-high severity with high impact to confidentiality, integrity, and availability, the requirement for authenticated high-privilege access (PR:H) significantly constrains real-world exploitability. Active exploitation status, public POC availability, and EPSS score are unknown from the provided data, limiting definitive risk prioritization.
Technical ContextAI
This vulnerability exploits improper input validation in file path handling (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The root cause stems from insufficient canonicalization or validation of user-supplied file paths before file operations, allowing traversal sequences (e.g., '../', '..\\') to escape intended directory boundaries. The attack vector is Network (AV:N) with Low complexity (AC:L), indicating the flaw is straightforward to exploit once access is obtained. The vulnerability requires authentication (PR:H) and manipulation of file path parameters in web requests, suggesting the affected component likely processes file uploads, path-based API endpoints, or configuration file writes. Without specific CPE data provided, the vendor and product remain unidentified, but this pattern is common in content management systems, file management applications, and enterprise web applications that handle user-supplied paths.
RemediationAI
Immediate remediation steps: (1) Apply security patches from the vendor when available—specific patch versions are not provided in the supplied data; consult vendor security advisories for exact version numbers. (2) As a workaround, restrict file path parameters by implementing strict input validation: canonicalize all user-supplied paths using safe libraries (e.g., Python's pathlib.Path.resolve(), Java's java.nio.file.Files), whitelist allowed directories, and reject paths containing traversal sequences ('./', '../', '\\', etc.). (3) Enforce principle of least privilege by ensuring admin/high-privilege accounts are not over-provisioned and monitor admin file operations for anomalies. (4) Implement chroot jails or containerization to restrict file system access scope. (5) Enable and audit file system access logs to detect exploit attempts. (6) Disable unnecessary file write endpoints and enforce read-only modes where applicable. Consult vendor security bulletins and the CVE's NVD page for vendor-specific patches and official guidance.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17638