CVE-2025-13875

Root

Cause

The path traversal vulnerability resides in the addCfg function of OciServiceImpl.java (line 146). The application constructs a file path by directly concatenating the user-supplied filename (params.getFile().getOriginalFilename()) with the base directory, without any sanitization or validation. The FileUtil.touch() method, which is from the Hutool library, then creates the file at the attacker-controlled path, enabling directory traversal [1][2].

Exploitation

An authenticated attacker can launch a remote exploit by sending a crafted multipart request to the /api/oci/addCfg endpoint. The attacker controls the filename (e.g., using ../ sequences) to write files to arbitrary locations on the server. No special network position is required as the attack is fully remote [1]. Public exploit code has been made available [2].

Impact

Successful exploitation allows arbitrary file write. This could lead to overwriting application files, configuration files, or other sensitive data, potentially resulting in full compromise of the application. The CVSS v3.1 score from the reference is 8.1 (High) due to high impact on confidentiality and integrity [1].

Mitigation

As of the disclosure date (2025-11-10), the vendor had not responded and no fix was available [1]. Users should apply input validation on the filename, restrict upload destinations, or disable the affected functionality until a patch is released.