CVE-2025-8522
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-04

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability, which was classified as critical, was found in givanz Vvvebjs up to 2.0.4. Affected is an unknown function of the file /save.php of the component node.js. The manipulation of the argument File leads to path traversal. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-04
Last Modified
2026-04-29
Generated
2026-05-06
AI Q&A
2025-08-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-8522
EUVD
EUVD-2025-23540
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vvveb vvvebjs to 2.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-8522 is a critical directory traversal vulnerability in the /save.php endpoint of the givanz Vvvebjs application (up to version 2.0.4) when run using Node.js. The vulnerability arises from insufficient sanitization of the user-supplied 'file' parameter in POST requests, allowing an attacker to manipulate the file path to write arbitrary files outside the intended directory. This means an attacker can remotely send specially crafted requests to create or overwrite files anywhere on the server filesystem, potentially compromising the system. [1, 2, 3]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing remote attackers to write arbitrary files outside the intended directory on your server. This can lead to unauthorized modification or creation of files, potentially compromising the confidentiality, integrity, and availability of your system. Attackers could use this to place malicious files, alter existing files, or disrupt normal operations, which could result in system compromise or data loss. [1, 2, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to exploit the path traversal in the /save.php endpoint using crafted POST requests with directory traversal sequences in the 'file' parameter. A suggested command to test this is using curl to send a POST request: curl -X POST http://localhost:8080/save.php -d 'file=../flag.txt&html=exploit'. If the file 'flag.txt' is created one directory above the server root, the system is vulnerable. Additionally, attackers may use Google Hacking techniques such as searching for 'inurl:save.php' to identify vulnerable targets. [1, 3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include replacing the affected product with an alternative that is not vulnerable, as no known countermeasures or mitigations have been documented. Restricting access to the /save.php endpoint and applying strict input validation and sanitization on the 'file' parameter to prevent directory traversal may help, but the recommended action is to avoid using the vulnerable version of VvvebJs. [3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart