VYPR
← All advisories
Medium severity6.3NVD Advisory· Published May 18, 2025· Updated Apr 15, 2026

CVE-2025-4868

CVE-2025-4868

Description

A vulnerability was found in merikbest ecommerce-spring-reactjs up to 464e610bb11cc2619cf6ce8212ccc2d1fd4277fd. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/v1/admin/ of the component File Upload Endpoint. The manipulation of the argument filename leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Path traversal in ecommerce-spring-reactjs file upload allows remote attackers to write or delete files outside intended directory via crafted filename.

Vulnerability

Overview A path traversal vulnerability exists in the file upload endpoint of merikbest ecommerce-spring-reactjs (up to commit 464e610). The application fails to properly validate the filename parameter in requests to /api/v1/admin/add and /api/v1/admin/edit, allowing attackers to control the file path [1].

Exploitation

An attacker with admin credentials can send a POST request with a crafted filename containing path traversal sequences (e.g., ../) to upload or delete files to arbitrary locations on the server. The exploit requires authentication as an admin user, but the default admin credentials are provided in the proof-of-concept [1].

Impact

Successful exploitation allows an attacker to overwrite configuration files, inject malicious code, or delete critical system files, potentially leading to full server compromise.

Mitigation

The vendor uses continuous delivery with rolling releases, but no patched version has been released. Users should restrict access to the admin endpoints and validate file paths server-side.

References
  1. cve-proofs/POC-20250512-01.md at main · ShenxiuSec/cve-proofs

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.