CVE-2025-7488
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-12

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in JoeyBling SpringBoot_MyBatisPlus up to a6a825513bd688f717dbae3a196bc9c9622fea26 and classified as critical. This vulnerability affects the function Download of the file /file/download. The manipulation of the argument Name leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-12
Last Modified
2026-04-29
Generated
2026-05-06
AI Q&A
2025-07-12
EPSS Evaluated
2026-05-05
NVD
CVE-2025-7488
EUVD
EUVD-2025-21233
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
joeybling springboot_mybatisplus *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-7488 is a critical path traversal vulnerability in the JoeyBling SpringBoot_MyBatisPlus project affecting the /file/download endpoint's Download function. The vulnerability occurs because the 'Name' argument is not properly sanitized, allowing an attacker to manipulate the file path to access files outside the intended directory. This enables unauthorized reading and downloading of arbitrary files on the server remotely without authentication. [1, 2, 3]


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive files on the server, such as configuration files or other protected data. Attackers can remotely exploit this flaw to download arbitrary files, potentially exposing confidential information, which compromises the confidentiality of the system. Since the exploit is publicly available and easy to execute, affected systems are at significant risk. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to access the /file/download endpoint with crafted URL parameters that exploit the path traversal flaw. For example, sending HTTP requests with the 'name' parameter set to paths outside the intended directory and the 'real' parameter set to true can reveal if arbitrary files are accessible. A sample command using curl would be: curl 'http://<target>/file/download?name=../../../../etc/passwd&real=true' to test if the system allows traversal to sensitive files. Monitoring network traffic for such suspicious requests or unexpected file downloads from this endpoint can also help detect exploitation attempts. [2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting or disabling access to the /file/download endpoint if possible, especially from untrusted networks. Since no known mitigations or patches are documented, it is recommended to replace the affected product with an alternative that does not have this vulnerability. Additionally, implementing network-level controls such as firewall rules to block suspicious requests targeting this endpoint and monitoring logs for exploitation attempts can help reduce risk until a fix or update is available. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart