CVE-2025-4175

Vulnerability

Overview

The vulnerability resides in the /api/v1/user-profile endpoint of the Project-4.SpringBoot-AWS-S3 subproject within the Spring-Boot-Advanced-Projects repository (up to version 3.1.3). The uploadUserProfileImage function in UserProfileController.java fails to validate or sanitize the filename provided in the multipart upload request. This allows an attacker to include path traversal sequences (e.g., ../../../) in the filename, leading to arbitrary file writes on the server's filesystem [1].

Exploitation

Details

An attacker can exploit this vulnerability remotely without authentication by sending a crafted HTTP POST request to /api/v1/user-profile with a multipart file whose filename contains path traversal characters. The backend code directly uses the original filename to create a File object via new File(multipartFile.getOriginalFilename()), and subsequently uploads that file to an S3 bucket. The lack of path validation means the file can be written to any directory the application process has write access to [1].

Impact

Successful exploitation allows an attacker to upload arbitrary files to arbitrary locations on the server. Depending on the server's configuration, this could lead to remote code execution (e.g., overwriting a JSP file), data corruption, or denial of service. The vendor was contacted but did not respond, so no official patch or workaround is available [1].

Mitigation

Status

As of the publication date, no patch has been released by the vendor. Users of the affected project should implement input validation on the filename parameter, restrict write permissions, or consider disabling the vulnerable endpoint until a fix is applied [1].