lostvip-com ruoyi-go CommonController.go DownloadUpload path traversal_CVE-2025-9409

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

Description

A security flaw has been discovered in lostvip-com ruoyi-go up to 2.1. Impacted is the function DownloadTmp/DownloadUpload of the file modules/system/controller/CommonController.go. Performing manipulation of the argument fileName results in path traversal. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Basic Information

ID CVE-2025-9409

Source VulDB

Published Aug 25, 2025 at 16:02

Affected Product

Vendor lostvip-com

Product ruoyi-go

Version 2.0

Affected Versions lostvip-com ruoyi-go 2.0
lostvip-com ruoyi-go 2.1

CWE Classification

CWE-22

References

{
    "lastseen": "",
    "description": "A security flaw has been discovered in lostvip-com ruoyi-go up to 2.1. Impacted is the function DownloadTmp/DownloadUpload of the file modules/system/controller/CommonController.go. Performing manipulation of the argument fileName results in path traversal. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.",
    "published": "2025-08-25T16:02:07.354Z",
    "modified": "2025-08-25T16:02:07.354Z",
    "type": "cve",
    "title": "lostvip-com ruoyi-go CommonController.go DownloadUpload path traversal",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.321250\nhttps://vuldb.com/?ctiid.321250\nhttps://vuldb.com/?submit.633661\nhttps://vuldb.com/?submit.633663\nhttps://github.com/on-theway/cve/issues/1\nhttps://github.com/on-theway/cve/issues/2",
    "id": "CVE-2025-9409",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "lostvip-com ruoyi-go 2.0\nlostvip-com ruoyi-go 2.1",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ruoyi-go",
    "version": "2.0",
    "vendor": "lostvip-com",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}