CVE-2025-14965

Vulnerability

Overview

The vulnerability resides in the ResourceController.java file of the yougou-mall application, specifically in the upload and delete methods. The application uses a rolling release model and the issue is present up to commit 0a771fa817c924efe52c8fe0fe8a9a6658eee675f9f. The root cause is insufficient validation of file paths and names. The validateObjectName method splits the input string only by the '/' character and checks if any segment equals '.' or '..' . As noted in [1], this allows bypasses via URL encoding (e.g., %2e%2e%2f), absolute paths (e.g., /etc/passwd), or special character/delimiter combinations (e.g., .../ on some systems).

Exploitation

Prerequisites and Attack Surface

An attacker does not require authentication to reach the vulnerable endpoints. By crafting a malicious file name or path in the upload or delete request, the attacker can bypass the weak validation. The reference analysis [1] details methods such as encoding traversal sequences with %2e%2e%2f or using absolute paths without any '..' segments, which the simplistic split-based check cannot detect.

Impact

Successful exploitation allows an attacker to perform arbitrary file deletion on the server. According to [1], this can lead to high-risk consequences such as deleting critical application disruption or data loss. Additionally, the upload endpoint [2] does not validate file suffixes, enabling arbitrary file uploads that could lead to remote code execution if the uploaded file is served as executable content.

Mitigation

Status

As of the publication date (2025-12-19), no patched version is available because the product is a rolling release without versioned releases. The recommended remediation, as described in [2], is to enforce a whitelist of allowed file extensions and to sanitize the file path thoroughly, blocking any directory traversal patterns such as '../' using proper path normalization rather than simple string splitting.