CVE-2025-14965
Unknown Unknown - Not Provided
Path Traversal in Yougou-Mall Upload Function Allows File Access

Publication date: 2025-12-19

Last updated on: 2025-12-19

Assigner: VulDB

Description
A vulnerability was found in 1541492390c yougou-mall up to 0a771fa817c924efe52c8fe0a9a6658eee675f9f. This impacts the function Upload of the file src/main/java/per/ccm/ygmall/extra/controller/ResourceController.java. Performing manipulation results in path traversal. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-19
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14965
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yougou yougou-mall *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2025-14965 is a path traversal vulnerability in the upload function of the ResourceController.java file in the yougou-mall project. The vulnerability occurs because the application uses external input to build file paths without properly sanitizing or neutralizing special path elements. This allows an attacker to manipulate the pathname to access files or directories outside the intended restricted directory, leading to unauthorized access to the file system. It is classified under CWE-22 and can impact confidentiality, integrity, and availability of the system. [1]

Impact Analysis

This vulnerability can lead to unauthorized access to files outside the intended directory, potentially allowing attackers to read, modify, or delete sensitive files. It can also enable remote code execution (getshell) and directory traversal attacks, compromising the confidentiality, integrity, and availability of the affected system. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring for unusual file upload activity, especially attempts to upload files with manipulated pathnames or unexpected file suffixes. Since the vulnerability involves path traversal via the upload function, detection can include checking logs for suspicious file paths containing traversal sequences like '../'. Network or application logs should be inspected for such patterns. Specific commands depend on the environment, but example commands include searching web server logs for path traversal patterns, e.g., using grep: `grep -r "\.\./" /var/log/your-webserver/` or monitoring upload endpoints for unexpected file suffixes. Additionally, scanning the application source code for unsafe concatenation of file paths in the upload function can help detect the vulnerability. [1, 2]

Mitigation Strategies

Immediate mitigation steps include disabling or restricting the upload functionality until a fix is applied, implementing strict validation and sanitization of file paths and file suffixes in the upload function to prevent path traversal and arbitrary file uploads, and monitoring for suspicious upload activity. Since no known countermeasures or patches are documented and the product uses a rolling release model without specific version details, consider replacing the affected component with an alternative product. Applying strict access controls and limiting privileges of the upload process can also reduce impact. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14965. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart