CVE-2025-56815
BaseFortify
Publication date: 2025-09-24
Last updated on: 2025-10-10
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| running-elephant | datart | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Directory Traversal issue in Datart 1.0.0-rc.3 affecting the POST /viz/image interface. The server uses MultipartFile.transferTo() to save uploaded files to a location that the user can control through the file name. Because the server does not strictly verify the file name, an attacker can manipulate the file path to access or overwrite files outside the intended directory.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to write files to arbitrary locations on the server, potentially overwriting critical files or placing malicious files. This can lead to unauthorized access, data corruption, or remote code execution depending on the server configuration and file permissions.