CVE-2025-13875: Yohann0617 OCI-Helper Path Traversal

CVE-2025-13875 Overview

A path traversal vulnerability has been identified in Yohann0617 oci-helper versions up to 3.2.4. This issue affects the addCfg function within the file src/main/java/com/yohann/ocihelper/service/impl/OciServiceImpl.java of the OCI Configuration Upload component. By manipulating the File argument, an attacker can traverse directory paths and potentially access or overwrite files outside the intended directory structure. The vulnerability is exploitable remotely, and a public exploit has been disclosed.

Critical Impact
Remote attackers can exploit this path traversal vulnerability to read, write, or overwrite arbitrary files on the server, potentially leading to information disclosure, configuration tampering, or system compromise.

Affected Products

Yohann0617 oci-helper versions up to 3.2.4
OCI Configuration Upload component (OciServiceImpl.java)

Discovery Timeline

December 2, 2025 - CVE-2025-13875 published to NVD
December 2, 2025 - Last updated in NVD database

Technical Details for CVE-2025-13875

Vulnerability Analysis

CVE-2025-13875 is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal). The vulnerability resides in the addCfg function of the OciServiceImpl.java file, which is part of the OCI Configuration Upload functionality. With a CVSS 4.0 score of 5.3 (Medium severity), this vulnerability allows remote authenticated attackers to exploit insufficient input validation on file path parameters.

The CVSS vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P indicates:

Attack Vector: Network-based exploitation
Attack Complexity: Low
Privileges Required: Low (authenticated access)
User Interaction: None required
Impact: Low confidentiality, integrity, and availability impact

The EPSS (Exploit Prediction Scoring System) data indicates a 0.054% probability of exploitation, placing this vulnerability in the 17th percentile.

Root Cause

The root cause of this vulnerability is improper validation and sanitization of user-supplied file path input in the addCfg function. The function fails to properly neutralize special path elements such as ../ (dot-dot-slash) sequences before using the input to construct file system paths. This allows attackers to escape the intended directory structure and access arbitrary locations on the file system.

Attack Vector

The attack can be launched remotely over the network by an authenticated user. An attacker can craft a malicious request to the OCI Configuration Upload endpoint, including path traversal sequences in the File argument. When processed by the vulnerable addCfg function, these sequences allow the attacker to read, write, or overwrite files outside the designated upload directory.

The exploitation mechanism involves sending specially crafted requests that include directory traversal patterns such as ../ in the file path parameter. When the application processes this input without proper sanitization, it resolves the path relative to the file system root rather than the intended upload directory. For detailed technical analysis and proof-of-concept information, refer to the security report on GitHub.

Detection Methods for CVE-2025-13875

Indicators of Compromise

HTTP requests to OCI Configuration Upload endpoints containing ../ or URL-encoded variants (%2e%2e%2f)
Unusual file access patterns outside the expected upload directories
Unexpected file modifications or creation in system directories
Web server logs showing path traversal patterns in request parameters

Detection Strategies

Organizations can detect exploitation attempts by implementing the following strategies:

Web Application Firewall (WAF) Rules: Configure WAF rules to detect and block requests containing common path traversal patterns such as ../, ..\\, %2e%2e%2f, and other encoded variants.
Log Analysis: Monitor application and web server logs for suspicious patterns in file path parameters, particularly in requests to the OCI Configuration Upload functionality.
File Integrity Monitoring: Implement file integrity monitoring (FIM) solutions to detect unauthorized changes to sensitive files that may indicate successful exploitation.
Runtime Application Self-Protection (RASP): Deploy RASP solutions that can detect and prevent path traversal attacks at runtime.

Monitoring Recommendations

Enable detailed logging for the oci-helper application, particularly for file operations
Monitor for access attempts to sensitive configuration files (/etc/passwd, application configuration files)
Set up alerts for any file operations that resolve to paths outside the expected upload directory
Review authentication logs for accounts that may be compromised and used for exploitation

How to Mitigate CVE-2025-13875

Immediate Actions Required

Upgrade oci-helper to a patched version when available (versions above 3.2.4)
Implement input validation on all file path parameters before processing
Deploy a Web Application Firewall (WAF) with rules to block path traversal patterns
Restrict file system permissions for the application user to limit the impact of exploitation
Consider disabling the OCI Configuration Upload functionality if not required

Patch Information

The vendor was contacted about this disclosure but did not respond. At the time of publication, no official patch has been released. Organizations using oci-helper should monitor the project's GitHub repository for updates and consider the workarounds listed below.

For additional information about this vulnerability, refer to:

Workarounds

Until an official patch is available, implement the following defensive measures:

Input Sanitization: Implement strict input validation on the File parameter to reject any path containing traversal sequences. Validate that the resolved file path remains within the intended directory.
Path Canonicalization: Use canonical path resolution to normalize file paths and verify they remain within allowed directories after resolving symbolic links and relative path components.
Network Segmentation: Limit network access to the oci-helper application to trusted networks and users only.
Principle of Least Privilege: Run the application with minimal file system permissions and use a dedicated service account with restricted access.

java

// Recommended validation approach
// Ensure uploaded file paths are within the allowed directory
String basePath = "/allowed/upload/directory";
File baseDir = new File(basePath).getCanonicalFile();
File requestedFile = new File(basePath, userInput).getCanonicalFile();

if (!requestedFile.getPath().startsWith(baseDir.getPath())) {
    throw new SecurityException("Path traversal attempt detected");
}

CVE-2025-13875 Overview

Critical Impact
Remote attackers can exploit this path traversal vulnerability to read, write, or overwrite arbitrary files on the server, potentially leading to information disclosure, configuration tampering, or system compromise.

Affected Products

Yohann0617 oci-helper versions up to 3.2.4
OCI Configuration Upload component (OciServiceImpl.java)

Discovery Timeline

December 2, 2025 - CVE-2025-13875 published to NVD
December 2, 2025 - Last updated in NVD database

Technical Details for CVE-2025-13875

Vulnerability Analysis

The CVSS vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P indicates:

Attack Vector: Network-based exploitation
Attack Complexity: Low
Privileges Required: Low (authenticated access)
User Interaction: None required
Impact: Low confidentiality, integrity, and availability impact

The EPSS (Exploit Prediction Scoring System) data indicates a 0.054% probability of exploitation, placing this vulnerability in the 17th percentile.

Root Cause

Attack Vector

Detection Methods for CVE-2025-13875

Indicators of Compromise

HTTP requests to OCI Configuration Upload endpoints containing ../ or URL-encoded variants (%2e%2e%2f)
Unusual file access patterns outside the expected upload directories
Unexpected file modifications or creation in system directories
Web server logs showing path traversal patterns in request parameters

Detection Strategies

Organizations can detect exploitation attempts by implementing the following strategies:

Web Application Firewall (WAF) Rules: Configure WAF rules to detect and block requests containing common path traversal patterns such as ../, ..\\, %2e%2e%2f, and other encoded variants.
Log Analysis: Monitor application and web server logs for suspicious patterns in file path parameters, particularly in requests to the OCI Configuration Upload functionality.
File Integrity Monitoring: Implement file integrity monitoring (FIM) solutions to detect unauthorized changes to sensitive files that may indicate successful exploitation.
Runtime Application Self-Protection (RASP): Deploy RASP solutions that can detect and prevent path traversal attacks at runtime.

Monitoring Recommendations

Enable detailed logging for the oci-helper application, particularly for file operations
Monitor for access attempts to sensitive configuration files (/etc/passwd, application configuration files)
Set up alerts for any file operations that resolve to paths outside the expected upload directory
Review authentication logs for accounts that may be compromised and used for exploitation

How to Mitigate CVE-2025-13875

Immediate Actions Required

Upgrade oci-helper to a patched version when available (versions above 3.2.4)
Implement input validation on all file path parameters before processing
Deploy a Web Application Firewall (WAF) with rules to block path traversal patterns
Restrict file system permissions for the application user to limit the impact of exploitation
Consider disabling the OCI Configuration Upload functionality if not required

Patch Information

For additional information about this vulnerability, refer to:

Workarounds

Until an official patch is available, implement the following defensive measures:

Input Sanitization: Implement strict input validation on the File parameter to reject any path containing traversal sequences. Validate that the resolved file path remains within the intended directory.
Path Canonicalization: Use canonical path resolution to normalize file paths and verify they remain within allowed directories after resolving symbolic links and relative path components.
Network Segmentation: Limit network access to the oci-helper application to trusted networks and users only.
Principle of Least Privilege: Run the application with minimal file system permissions and use a dedicated service account with restricted access.

java

// Recommended validation approach
// Ensure uploaded file paths are within the allowed directory
String basePath = "/allowed/upload/directory";
File baseDir = new File(basePath).getCanonicalFile();
File requestedFile = new File(basePath, userInput).getCanonicalFile();

if (!requestedFile.getPath().startsWith(baseDir.getPath())) {
    throw new SecurityException("Path traversal attempt detected");
}

CVE-2025-13875: Yohann0617 OCI-Helper Path Traversal

CVE-2025-13875 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-13875

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-13875

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-13875

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-13875: Yohann0617 OCI-Helper Path Traversal

CVE-2025-13875 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-13875

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-13875

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-13875

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform