CVE-2025-57682
BaseFortify
Publication date: 2025-09-22
Last updated on: 2025-10-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| papermark | papermark | to 0.20.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Directory Traversal flaw in Papermark version 0.20.0 and earlier. It allows authenticated attackers to retrieve arbitrary files from an Amazon S3 bucket by exploiting the CloudFront distribution through the POST /api/file/s3/get-presigned-get-url-proxy API endpoint. Essentially, attackers with valid credentials can access files they should not be able to by manipulating the file path in the API request.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive files stored in the S3 bucket used by Papermark. Since attackers can retrieve arbitrary files, this could result in exposure of confidential documents, potentially harming privacy, intellectual property, or business secrets. The CVSS score indicates a moderate severity with high confidentiality impact but no impact on integrity or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability could negatively impact compliance with standards such as GDPR and HIPAA because unauthorized access to sensitive personal or protected health information stored in the affected files may occur. Such data breaches can lead to violations of data protection regulations, resulting in legal and financial consequences for organizations using vulnerable versions of Papermark. [1]