CVE-2025-13435
Description
A security vulnerability has been detected in Dreampie Resty up to 1.3.1.SNAPSHOT. This affects the function Request of the file /resty-httpclient/src/main/java/cn/dreampie/client/HttpClient.java of the component HttpClient Module. Such manipulation of the argument filename leads to path traversal. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dreampie Resty up to 1.3.1.SNAPSHOT's HttpClient module has a path traversal vulnerability via the filename argument, allowing remote arbitrary file write.
Vulnerability
A path traversal vulnerability exists in the Dreampie Resty framework's HttpClient module, specifically in the Request function of /resty-httpclient/src/main/java/cn/dreampie/client/HttpClient.java. The filename argument is not sanitized, enabling an attacker to control the file path when writing HTTP response bodies to disk [2][3].
Exploitation
Exploitation requires the attacker to control the HTTP server the client connects to, perform a Man-in-the-Middle attack, or have the application use a user-configurable download source [2]. The attack is remote, highly complex, and does not require authentication [3].
Impact
Successful exploitation allows arbitrary file write, which can lead to code execution (e.g., deploying webshells), privilege escalation, or denial of service [2].
Mitigation
As of November 2025, no patch is available from the vendor, who did not respond to disclosure [2][3]. Users should consider limiting HttpClient usage to trusted sources or implementing additional input validation.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cn.dreampie:restyMaven | <= 1.3.1.SNAPSHOT | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/Xzzz111/exps/blob/main/archives/Resty-PathTraversal-01/cve_application.mdnvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-cv3m-hxpc-4hvmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-13435ghsaADVISORY
- vuldb.comnvdThird Party AdvisoryVDB EntryWEB
- vuldb.comnvdThird Party AdvisoryVDB EntryWEB
- vuldb.comnvdPermissions RequiredVDB EntryWEB
News mentions
0No linked articles in our index yet.