CVE-2025-4893
Description
A vulnerability classified as critical has been found in jammy928 CoinExchange_CryptoExchange_Java up to 8adf508b996020d3efbeeb2473d7235bd01436fa. This affects the function uploadLocalImage of the file /CoinExchange_CryptoExchange_Java-master/00_framework/core/src/main/java/com/bizzan/bitrade/util/UploadFileUtil.java of the component File Upload Endpoint. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal vulnerability in CoinExchange_CryptoExchange_Java's file upload endpoint allows remote attackers to write files to arbitrary locations.
Vulnerability
Overview
A path traversal vulnerability has been found in the jammy928/CoinExchange_CryptoExchange_Java repository (up to commit 8adf508b99). The flaw resides in the uploadLocalImage function of /00_framework/core/src/main/java/com/bizzan/bitrade/util/UploadFileUtil.java. The filename argument is not properly sanitized, allowing an attacker to control the upload path by inserting directory traversal sequences (e.g., ../) [1].
Exploitation
Details
The vulnerable endpoints are /admin/common/upload/local/image and /uc/upload/local/image [1]. These endpoints are accessible remotely without authentication according to the disclosed proof-of-concept [1]. An attacker can craft a request with a malicious filename parameter that escapes the intended upload directory, enabling file upload to an arbitrary location on the server's filesystem.
Impact
Successful exploitation could allow an attacker to write arbitrary files (such as JSP shells) to web-accessible directories, potentially leading to remote code execution. This could compromise the confidentiality, integrity, and availability of the application and its underlying server [1]. The product does not use versioning, and no official patch has been released for this vulnerability.
Mitigation
As of the publication date, no official fix is available. Users should apply strict input validation on the filename parameter, limit upload endpoints to authenticated users, and consider using a web application firewall to block path traversal payloads. If the software is no longer maintained, migrating to an alternative solution is recommended.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.