CVE-2025-9409 in ruoyi-goinfo

Summary

by MITRE • 08/26/2025

A security flaw has been discovered in lostvip-com ruoyi-go up to 2.1. Impacted is the function DownloadTmp/DownloadUpload of the file modules/system/controller/CommonController.go. Performing manipulation of the argument fileName results in path traversal. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 10/07/2025

The vulnerability identified as CVE-2025-9409 represents a critical path traversal flaw within the lostvip-com ruoyi-go web application framework version 2.1 and earlier. This security weakness exists within the CommonController.go file, specifically in the DownloadTmp and DownloadUpload functions that handle temporary file downloads. The flaw stems from inadequate input validation and sanitization of the fileName parameter, which allows attackers to manipulate file paths and access unauthorized resources within the application's file system. The vulnerability's remote exploitability means that malicious actors can leverage this weakness from outside the network boundary without requiring local system access or authentication credentials. The public release of exploit code significantly increases the risk exposure, as it provides threat actors with readily available tools to target vulnerable installations. This type of vulnerability directly maps to CWE-22 Path Traversal which is classified as a high-severity weakness in the Common Weakness Enumeration catalog and aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter and T1566.001 for Phishing with Malicious Attachments.

The technical implementation of this path traversal vulnerability occurs when the application processes user-supplied fileName arguments without proper validation of directory traversal sequences such as ../ or ..\\. The affected functions in CommonController.go fail to sanitize input parameters before using them in file system operations, allowing attackers to construct malicious file paths that can traverse directories outside the intended download scope. This flaw enables adversaries to access sensitive files including configuration files, database credentials, application source code, or other system resources that should remain protected. The impact extends beyond simple file access as attackers can potentially execute arbitrary code or cause denial of service conditions by accessing critical system components. The lack of vendor response despite early notification creates an urgent security concern as organizations running affected versions cannot rely on official patches or updates to address this vulnerability.

Organizations utilizing ruoyi-go versions up to 2.1 must implement immediate mitigations to protect against exploitation of this path traversal vulnerability. The most effective immediate remediation involves implementing strict input validation and sanitization for all file name parameters, particularly those used in file system operations. Organizations should consider implementing a whitelist approach that only allows specific, safe file name patterns and reject any input containing directory traversal sequences. Additionally, the application should run with minimal required privileges and implement proper file system access controls to limit the damage that could occur even if exploitation succeeds. Network-level protections such as web application firewalls and intrusion prevention systems should be configured to detect and block known malicious patterns associated with path traversal attacks. The absence of vendor response underscores the importance of maintaining awareness of third-party security advisories and implementing independent vulnerability assessment procedures to identify and remediate such critical flaws in open source components. Organizations should also consider implementing automated monitoring for suspicious file access patterns and maintain up-to-date security intelligence feeds to stay informed about emerging threats targeting similar frameworks and applications.

Responsible

VulDB

Disclosure

08/26/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00693

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!