Home > Vulnerability Database > CVE-2025-9409

Mend.io Vulnerability Database

CVE-2025-9409

Good to know:

Date: August 25, 2025

A security flaw has been discovered in lostvip-com ruoyi-go up to 2.1. Impacted is the function DownloadTmp/DownloadUpload of the file modules/system/controller/CommonController.go. Performing manipulation of the argument fileName results in path traversal. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Severity Score

4.3

Related Resources (8)

Url: https://github.com/on-theway/cve/issues/1

Url: https://github.com/on-theway/cve/issues/2

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-9409

Url: https://vuldb.com/?submit.633661

Url: https://vuldb.com/?ctiid.321250

Url: https://vuldb.com/?id.321250

Url: https://vuldb.com/?submit.633663

Url: https://www.mend.io/vulnerability-database/CVE-2025-9409

Severity Score

4.3

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version https://github.com/lostvip-com/ruoyi-go.git - null

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-9409

Good to know:

Date: August 25, 2025

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?