CVE-2025-4178

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-4178
A vulnerability was found in xiaowei1118 java_server up to 11a5bac8f4ba1c17e4bc1b27cad6d24868500e3a on Windows and classified as critical. This issue affects some unknown processing of the file /src/main/java/com/changyu/foryou/controller/FoodController.java of the component File Upload API. The manipulation leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

5.5 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:P

Exploitability : 8.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250418-02.md Exploit
https://vuldb.com/?ctiid.306797 Permissions Required VDB Entry
https://vuldb.com/?id.306797 Third Party Advisory VDB Entry
https://vuldb.com/?submit.561794 Exploit Third Party Advisory VDB Entry
https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250418-02.md Exploit
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:xiaowei1118:java_server:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
History

17 Jun 2025, 14:18

Type Values Removed Values Added
Summary
  • (es) Se encontró una vulnerabilidad en xiaowei1118 java_server hasta 11a5bac8f4ba1c17e4bc1b27cad6d24868500e3a en Windows, clasificada como crítica. Este problema afecta a un procesamiento desconocido del archivo /src/main/java/com/changyu/foryou/controller/FoodController.java del componente File Upload API. La manipulación provoca un path traversal. El ataque puede iniciarse remotamente. Se ha hecho público el exploit y puede que sea utilizado. Este producto utiliza el enfoque de lanzamiento continuo para garantizar una entrega continua. Por lo tanto, no se dispone de detalles de las versiones afectadas ni de las actualizadas.
References () https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250418-02.md - () https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250418-02.md - Exploit
References () https://vuldb.com/?ctiid.306797 - () https://vuldb.com/?ctiid.306797 - Permissions Required, VDB Entry
References () https://vuldb.com/?id.306797 - () https://vuldb.com/?id.306797 - Third Party Advisory, VDB Entry
References () https://vuldb.com/?submit.561794 - () https://vuldb.com/?submit.561794 - Exploit, Third Party Advisory, VDB Entry
First Time Microsoft
Microsoft windows
Xiaowei1118
Xiaowei1118 java Server
CPE cpe:2.3:a:xiaowei1118:java_server:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

02 May 2025, 18:15

Type Values Removed Values Added
References () https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250418-02.md - () https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250418-02.md -

01 May 2025, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-01 22:15

Updated : 2025-06-17 14:18

NVD link : CVE-2025-4178

Mitre link : CVE-2025-4178

CVE.ORG link : CVE-2025-4178

JSON object : View

Products Affected

xiaowei1118

  • java_server

microsoft

  • windows
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')