Primary

Context

Zhijiantianya Ruoyi-Vue-Pro Path Traversal Vulnerability in Material Upload Interface

Vulnerability

A path traversal vulnerability has been identified in Zhijiantianya Ruoyi-Vue-Pro version 2.4.1. This issue arises in the material upload interface, specifically within the '/admin-api/mp/material/upload-temporary' endpoint. The vulnerability allows for arbitrary file deletion by manipulating the 'file' argument to traverse directories and access files that the application can reach.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion on the server. If a file such as an SSH private key is deleted on a Linux server, it could result in a loss of server access privileges.

Reproduction

To reproduce this vulnerability, upload a file through the '/admin-api/mp/material/upload-temporary' interface using a directory traversal payload in the 'file' parameter. The traversal can be used to delete files accessible by the application, such as those in the AppData directory.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

0.0

exploitability

6.1

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

0.0

exploitability

6.1

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zhijiantianya Ruoyi-Vue-Pro Path Traversal Vulnerability in Material Upload Interface

Vulnerability

Impact

Reproduction

Affected Products

zhijiantianya ruoyi-vue-pro

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating