CVE-2025-7115
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-07-07

Last updated on: 2025-07-08

Assigner: VulDB

Description
A vulnerability was found in rowboatlabs rowboat up to 8096eaf63b5a0732edd8f812bee05b78e214ee97. It has been rated as critical. Affected by this issue is the function PUT of the file apps/rowboat/app/api/uploads/[fileId]/route.ts of the component Session Handler. The manipulation of the argument params leads to missing authentication. The attack may be launched remotely. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. It is expected that this issue will be fixed in the near future.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-07
Last Modified
2025-07-08
Generated
2026-05-07
AI Q&A
2025-07-07
EPSS Evaluated
2026-05-05
NVD
CVE-2025-7115
EUVD
EUVD-2025-20194
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-7115 is a critical vulnerability in the Rowboat Labs Rowboat application where the PUT API endpoint for file uploads (located at apps/rowboat/app/api/uploads/[fileId]/route.ts) lacks proper authentication. This misconfiguration allows unauthorized users to upload files anonymously to the server. The vulnerability arises because the authentication middleware does not protect this endpoint, enabling attackers to upload arbitrary files without any verification. [1, 2, 3]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing remote attackers to upload files without authentication, potentially leading to unauthorized data being stored on your server. This can result in exhaustion of server disk space (denial-of-service), compromise of system confidentiality, integrity, and availability. Attackers could upload malicious files or large amounts of data, disrupting normal operations and possibly enabling further attacks. [1, 2, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to perform an unauthorized PUT request to the API endpoint /api/uploads/[fileId] without authentication. For example, using curl: curl -X PUT http://<target-host>/api/uploads/testfile.txt --data-binary @testfile.txt -v. If the request succeeds and the file is uploaded without authentication, the system is vulnerable. Monitoring network traffic for anonymous PUT requests to /api/uploads/ endpoints can also help detect exploitation attempts. [3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the /api/uploads/[fileId] endpoint by enforcing authentication middleware on this route, ensuring that only authorized users can perform file uploads. If a patch or update is not yet available, consider disabling or blocking the vulnerable API endpoint entirely. Additionally, monitor and limit disk usage to prevent denial-of-service from excessive file uploads. Replacing the affected component with an alternative product until a fix is released is also recommended. [2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart