CVE-2025-6925 in RuoYi-Vue-Plus
Summary
by MITRE • 06/30/2025
A vulnerability has been found in Dromara RuoYi-Vue-Plus 5.4.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /src/main/java/org/dromara/demo/controller/MailController.java of the component Mail Handler. The manipulation of the argument filePath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/16/2025
The vulnerability identified as CVE-2025-6925 represents a critical path traversal flaw within the Dromara RuoYi-Vue-Plus 5.4.0 web application framework. This security weakness resides in the Mail Handler component, specifically within the MailController.java file at line 147 where user-supplied input is processed without adequate validation or sanitization. The vulnerability manifests when the filePath parameter is manipulated by an attacker, allowing unauthorized access to files outside the intended directory structure. This type of vulnerability falls under CWE-22 Path Traversal which is a well-documented weakness in software security where improper input validation enables attackers to access files and directories they should not be permitted to access. The attack vector is remote, meaning an attacker can exploit this vulnerability from outside the network without requiring physical access or prior authentication within the system. The public disclosure of this exploit increases the risk significantly as malicious actors can immediately leverage the known vulnerability to compromise affected systems.
The operational impact of this vulnerability extends beyond simple unauthorized file access, as it can potentially lead to complete system compromise and data exfiltration. Path traversal attacks can allow attackers to read sensitive configuration files, database credentials, application source code, and other confidential data stored on the server. The Mail Handler component suggests that attackers might be able to access email-related data or even manipulate email configurations, potentially leading to email spoofing or phishing attacks. According to ATT&CK framework, this vulnerability maps to T1083 File and Directory Discovery and T1566 Phishing techniques, as attackers can use the compromised mail handler to gather information about the system and potentially launch further attacks. The lack of vendor response to early disclosure attempts creates additional risk as organizations may not receive timely patches or mitigation guidance, leaving them vulnerable to exploitation.
Organizations utilizing Dromara RuoYi-Vue-Plus 5.4.0 should immediately implement comprehensive mitigations to protect against this critical vulnerability. The primary remediation involves implementing strict input validation and sanitization for all file path parameters within the MailController.java file, ensuring that user-supplied input cannot contain directory traversal sequences such as "../" or "..\". Implementing a whitelist approach for file access, where only predefined safe paths are allowed, provides the most robust protection against path traversal attacks. Network-level mitigations should include firewall rules that restrict access to the Mail Handler endpoints and implementing web application firewalls to detect and block malicious path traversal attempts. Additionally, organizations should conduct thorough code reviews to identify similar vulnerabilities in other components of the application and implement proper access controls to limit the impact of any potential exploitation. The vulnerability also highlights the importance of maintaining up-to-date security practices and the need for vendors to respond promptly to security disclosures to protect their user base from emerging threats.