CVE-2025-15009
Unrestricted File Upload in ChestnutCMS Filename Handler
Publication date: 2025-12-22
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liweiyi | chestnutcms | 1.5.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in liweiyi ChestnutCMS up to version 1.5.8, specifically in the FilenameUtils.getExtension function used in the /dev-api/common/upload endpoint. Due to flawed file extension extraction logic, an attacker can manipulate the filename argument to bypass file extension restrictions and perform an unrestricted file upload. This allows the attacker to upload arbitrary and potentially malicious files remotely by exploiting how the system parses filenames containing certain substrings like '://' and 'wx_fmt='. [2, 3]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized and unrestricted file uploads, allowing attackers to upload potentially dangerous files that the system might automatically process. This can compromise the confidentiality, integrity, and availability of the affected system. Since the exploit can be launched remotely and a proof-of-concept is publicly available, attackers can use this flaw to execute malicious code, deface websites, or disrupt services. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring requests to the /dev-api/common/upload endpoint for suspicious file upload attempts, especially those with filenames containing the substrings '://' and 'wx_fmt=' which exploit the flawed file extension parsing. Network traffic inspection or web server logs can be analyzed for such patterns. Specific commands depend on the environment, but for example, using grep on web server logs to find suspicious uploads: grep '/dev-api/common/upload' /var/log/nginx/access.log | grep 'wx_fmt=' or using network monitoring tools to filter HTTP POST requests to that endpoint with suspicious filenames. Additionally, scanning for the presence of ChestnutCMS versions up to 1.5.8 can help identify vulnerable systems. [3, 2]
What immediate steps should I take to mitigate this vulnerability?
Currently, no known countermeasures or mitigations exist for this vulnerability. It is suggested to consider replacing the affected product (liweiyi ChestnutCMS versions up to 1.5.8) with an alternative. As an immediate step, restrict or disable the /dev-api/common/upload endpoint if possible, implement strict network access controls, and monitor for exploitation attempts. Applying web application firewalls (WAF) rules to block suspicious upload patterns may also help reduce risk until a patch or update is available. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.