CVE-2025-15449
Unknown Unknown - Not Provided
Path Traversal in JavaMall MinioController Allows Remote Exploitation

Publication date: 2026-01-05

Last updated on: 2026-03-08

Assigner: VulDB

Description
A vulnerability was determined in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. Affected is the function delete of the file src/main/java/com/macro/mall/controller/MinioController.java. This manipulation of the argument objectName causes path traversal. The attack can be initiated remotely. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-03-08
Generated
2026-06-16
AI Q&A
2026-01-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15449
EUVD
EUVD-2026-0921
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cld378632668 javamall 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15449 is a path traversal vulnerability in the JavaMall project, specifically in the delete function of MinioController.java. It occurs because the application does not properly validate or restrict the objectName parameter, allowing attackers to manipulate file paths to traverse directories and delete arbitrary files on the server remotely. This lack of input validation and filtering enables unauthorized file deletion, impacting system integrity and availability. [1, 3]

Impact Analysis

This vulnerability allows remote attackers to delete arbitrary files on the affected server by exploiting path traversal in the delete function. This can lead to loss of critical files, disruption of services, and compromise of system integrity and availability. Since the attack can be performed remotely and easily, it poses a serious security risk to systems using the vulnerable JavaMall component. [1, 3]

Mitigation Strategies

Since no patches or countermeasures are currently available and the vendor has not responded, it is suggested to consider replacing the affected JavaMall component to mitigate the risk. Additionally, restricting access to the vulnerable delete function and monitoring for suspicious file deletion activity may help reduce exposure. [3]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

There are no specific detection commands or network/system detection methods provided in the available resources. The vulnerability involves manipulation of the 'objectName' parameter in the delete function of MinioController.java leading to path traversal and arbitrary file deletion. Detection would likely require code review or monitoring for suspicious delete requests with path traversal patterns, but no explicit commands or tools are mentioned.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15449. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart