CVE-2025-56263
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-16

Last updated on: 2025-10-17

Assigner: MITRE

Description
by-night sms V1.0 has an Arbitrary File Upload vulnerability. The /api/sms/upload/headImg endpoint allows uploading arbitrary files. Users can upload files of any size and type.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-16
Last Modified
2025-10-17
Generated
2026-06-16
AI Q&A
2025-09-16
EPSS Evaluated
2026-06-14
NVD
CVE-2025-56263
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
by-night sms 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-56263 is an arbitrary file upload vulnerability in the by-night sms V1.0 application. The /api/sms/upload/headImg endpoint allows users to upload files without proper server-side validation of file type or size. Although the frontend attempts to validate file types for avatar images, this can be bypassed by sending crafted HTTP POST requests directly to the backend. As a result, attackers can upload files of any type, including potentially malicious executable files. [1]

Impact Analysis

This vulnerability can allow attackers to upload arbitrary files, including malicious executables, to the server. This could lead to remote code execution or other malicious activities, compromising the security and integrity of the affected system. [1]

Detection Guidance

This vulnerability can be detected by monitoring HTTP POST requests to the /api/sms/upload/headImg endpoint that contain file uploads with suspicious file types or extensions, especially those not typically allowed for avatar images (e.g., .exe files). You can use tools like curl or wget to attempt uploading files with different extensions to test the endpoint. For example, using curl: curl -X POST -F "[email protected];type=image/png" http://<target>/api/sms/upload/headImg and observing if the upload is accepted. Additionally, inspecting web server logs or using network monitoring tools to detect such POST requests with unusual file types can help identify exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include implementing strict server-side validation of uploaded files to verify file types and sizes, not relying solely on frontend validation. Restrict allowed file extensions and content types on the backend, and sanitize file names. If possible, temporarily disable or restrict access to the /api/sms/upload/headImg endpoint until a proper fix is deployed. Monitoring and blocking suspicious upload attempts via web application firewalls (WAF) or intrusion detection systems (IDS) can also help reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-56263. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart