VYPR
Unrated severityOSV Advisory· Published Dec 19, 2025· Updated Dec 19, 2025

CVE-2025-66908

CVE-2025-66908

Description

Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an improper file type validation vulnerability in the OCR image upload functionality. The OcrController in turms-ai-serving/src/main/java/im/turms/ai/domain/ocr/controller/OcrController.java uses the @FormData(contentType = MediaTypeConst.IMAGE) annotation to restrict uploads to image files, but this constraint is not properly enforced. The system relies solely on client-provided Content-Type headers and file extensions without validating actual file content using magic bytes (file signatures). An attacker can upload arbitrary file types including executables, scripts, HTML, or web shells by setting the Content-Type header to "image/*" or using an image file extension. This bypass enables potential server-side code execution, stored XSS, or information disclosure depending on how uploaded files are processed and served.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Turms Im/TurmsOSV2 versions
    v0.10.0-SNAPSHOT+ 1 more
    • (no CPE)range: v0.10.0-SNAPSHOT
    • (no CPE)range: <=0.0.0-SNAPSHOT (equivalent to SNAPSHOT up to 2025-12-19)

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.