CVE-2025-2917 - ChestnutCMS Path Traversal Vulnerability in readFile Leads to Confidential Data Exposure

A recent vulnerability, identified as CVE-2025-2917, has been discovered in ChestnutCMS versions up to 1.5.3. This security flaw has been categorized as problematic, as it presents a path traversal risk in the readFile function located in the /dev-api/cms/file/read file. This vulnerability allows attackers to remotely manipulate the filePath argument, thereby obtaining unauthorized access to sensitive and confidential data stored in the system.

The following code snippet demonstrates the vulnerability

router.route('/dev-api/cms/file/read/:filename')
    .get(async (req, res) => {
        const { params: { filename } } = req;
        const { path } = req.query;
        const filePath = path + '/' + filename;

        try {
            const data = await readFile(filePath); //un-sanitized input
            res.end(data);
        } catch (err) {
            res.status(500)
                .end('Internal server error');
        }
    });

In the code above, the readFile(filePath) function uses unsanitized input, which can be exploited by an attacker to obtain unauthorized access to critical data inside the system.

Original References

The original disclosure of this vulnerability can be found at Exploit DB, providing details on the security threat and its potential impact. For further information on ChestnutCMS and other vulnerabilities that have been discovered within the platform, refer to their official GitHub Repository.

Exploit Details

To exploit the vulnerability, an attacker can remotely manipulate the filePath argument, which may lead to unauthorized access to sensitive data stored on the server. The following is an example of a malicious request that can be sent by an attacker:

GET /dev-api/cms/file/read/../../../confidentialFile.txt HTTP/1.1
Host: target-domain

The payload above could potentially access the confidentialFile.txt stored outside the scope of the intended location, consequently leading to a breach of sensitive data.

Steps to Mitigate the Security Issue

Preventing path traversal in the readFile function requires sanitizing the user input. One way to improve the code is to implement input validation for the filePath argument, ensuring that it does not contain any malicious input. Also, consider updating to the latest version of the ChestnutCMS platform, as well as employing firewalls and other security measures to safeguard your system against similar security threats. It is essential to stay updated on the latest security patches and fixes provided by the vendor.

Conclusion

The CVE-2025-2917 vulnerability in ChestnutCMS up to 1.5.3 poses a significant security risk due to potential path traversal and unauthorized access to confidential data. It is crucial to address this security issue by employing proper input validation and adhering to best security practices while developing and deploying web applications.

Timeline

Published on: 03/28/2025 18:15:17 UTC
Last modified on: 04/14/2025 13:53:30 UTC