CVE-2025-10081 Overview
CVE-2025-10081 affects SourceCodester Pet Management System 1.0, also distributed as Mayurik Pet Grooming Management Software. The flaw resides in /admin/profile.php and stems from improper validation of the website_image parameter. Authenticated attackers can abuse this parameter to upload arbitrary files to the server. The weakness maps to CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-284 (Improper Access Control). A public exploit is available, and remote exploitation is possible over the network.
Critical Impact
Attackers with administrative access can upload web shells through the profile image handler, leading to remote code execution on the underlying web server.
Affected Products
- Mayurik Pet Grooming Management Software 1.0
- SourceCodester Pet Management System 1.0
- Deployments referencing cpe:2.3:a:mayurik:pet_grooming_management_software:1.0
Discovery Timeline
- 2025-09-08 - CVE-2025-10081 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-10081
Vulnerability Analysis
The vulnerability exists in the administrator profile handler at /admin/profile.php. The script accepts a website_image upload parameter without enforcing file type, extension, or MIME validation. An authenticated administrator can submit a PHP file disguised as an image and have it stored in a web-accessible directory. Requesting the stored file then executes the attacker-supplied PHP code under the web server process. Public exploitation material is hosted in the Pet-Grooming-Management-RCE repository.
Root Cause
The profile update routine writes uploaded files directly to disk without server-side allowlist checks on file extension or content. Combined with weak access control around the upload destination, this allows execution of uploaded server-side scripts.
Attack Vector
Exploitation requires high privileges, since the vulnerable endpoint lives under /admin/. An attacker who has compromised or obtained administrator credentials submits a multipart POST request to profile.php containing a PHP payload in the website_image field. The server stores the payload, and a follow-up GET request to the uploaded path triggers code execution. See the VulDB entry #323036 for additional submission detail.
No verified exploit code is reproduced here. The mechanism is documented in the referenced GitHub proof-of-concept.
Detection Methods for CVE-2025-10081
Indicators of Compromise
- Files with executable extensions such as .php, .phtml, or .phar written to image upload directories used by the application.
- HTTP POST requests to /admin/profile.php containing a website_image form field with non-image content.
- Subsequent GET requests to newly created files under the uploads path returning HTTP 200 with non-image content types.
Detection Strategies
- Inspect web server access logs for sequential POST to /admin/profile.php followed by GET requests to uncommon filenames under upload directories.
- Hash and inventory files in the website_image storage path, alerting on any non-image MIME types or PHP shebangs.
- Apply WAF rules that block multipart uploads where website_image contains <?php, eval(, or other server-side script markers.
Monitoring Recommendations
- Monitor file integrity on the web root for new or modified .php files outside the application source tree.
- Track outbound connections from the PHP-FPM or Apache worker process, which typically indicate post-upload web shell activity.
- Alert on creation of new files by the web server user in directories writable by the upload handler.
How to Mitigate CVE-2025-10081
Immediate Actions Required
- Restrict access to /admin/profile.php to trusted source networks via reverse proxy or .htaccess controls until a fix is applied.
- Audit the website_image upload directory for unexpected files and remove any server-side scripts.
- Rotate administrator credentials and review session activity for unauthorized profile changes.
Patch Information
No official vendor patch has been published for CVE-2025-10081 at the time of writing. Refer to the SourceCodester project page and the VulDB advisory for status updates.
Workarounds
- Configure the web server to deny script execution within the uploads directory, for example by disabling PHP handlers via <Directory> or location blocks.
- Implement a server-side allowlist that validates file extension, MIME type, and magic bytes for the website_image parameter before persistence.
- Rename uploaded files to a randomized identifier with a forced image extension to neutralize script execution.
# Apache: prevent PHP execution inside the uploads directory
<Directory "/var/www/pet-management/uploads">
php_admin_flag engine off
AddType text/plain .php .phtml .phar
Options -ExecCGI
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

