VYPR
← All advisories
Medium severity4.7NVD Advisory· Published Mar 12, 2025· Updated Apr 15, 2026

CVE-2025-2215

CVE-2025-2215

Description

A vulnerability classified as critical was found in Doufox up to 0.2.0. Affected by this vulnerability is an unknown functionality of the file /?s=doudou&c=file&a=list. The manipulation of the argument dir leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A path traversal vulnerability in Doufox ≤0.2.0 allows remote attackers to read and manipulate arbitrary files via the dir parameter.

Vulnerability

Details The vulnerability resides in Doufox up to version 0.2.0, specifically in the file listing functionality at the endpoint /?s=doudou&c=file&a=list. The application fails to sanitize user input supplied to the dir parameter, allowing directory traversal sequences such as ../ to escape the intended directory. According to the advisory [1], the issue was discovered and reported to the vendor, who did not respond.

Exploitation

An attacker can exploit this vulnerability without authentication by sending a crafted HTTP request to the vulnerable endpoint. For example, accessing Ip:port/?s=doudou&c=file&a=list&dir=static/../../../../../../../../../ allows traversing to arbitrary directories on the server. The advisory [1] confirms that remote exploitation is possible and that proof-of-concept details have been publicly disclosed.

Impact and

Mitigation Successful exploitation enables an attacker to read, modify, download, or delete arbitrary files on the server, potentially leading to complete compromise of the application and underlying system. As of the publication date, no patch has been released, and the vendor has not responded. Users are advised to apply workarounds such as restricting access to the vulnerable endpoint or upgrading if a fix becomes available. The vulnerability has been assigned a CVSS v3 score of 4.7 (Medium).

References
  1. Directory traversal and arbitrary file modifications

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.