Medium severity4.3NVD Advisory· Published Jul 12, 2025· Updated Apr 29, 2026

CVE-2025-7488

Description

A vulnerability has been found in JoeyBling SpringBoot_MyBatisPlus up to a6a825513bd688f717dbae3a196bc9c9622fea26 and classified as critical. This vulnerability affects the function Download of the file /file/download. The manipulation of the argument Name leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A path traversal vulnerability in SpringBoot_MyBatisPlus allows remote unauthenticated attackers to download arbitrary files via the /file/download endpoint.

The vulnerability exists in the /file/download endpoint of JoeyBling's SpringBoot_MyBatisPlus project. The SysFileController handles file downloads without proper path validation, allowing an attacker to specify an arbitrary file path through the name parameter when real is set to true [1].

Exploitation requires no authentication, as the /file/ path is publicly accessible. An attacker can send a crafted HTTP request to /file/download?name=<absolute_path>&real=true to read any file accessible to the application server, such as configuration files containing credentials or sensitive data [1].

Successful exploitation leads to unauthorized disclosure of sensitive information, potentially including database credentials, API keys, or source code. This can pave the way for further attacks like credential escalation or lateral movement within the network.

As of the advisory, the project uses continuous delivery with rolling releases, and no specific patched version has been identified. Users are advised to restrict access to the /file/ endpoint or implement proper input validation to mitigate the risk.

References

There is a vulnerability in arbitrary file download in the system

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

JoeyBling/Springboot Mybatisplusreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/JoeyBling/SpringBoot_MyBatisPlus/issues/18nvd
vuldb.comnvd
vuldb.comnvd
vuldb.comnvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000