CVE-2025-15432 Overview
A path traversal vulnerability has been identified in yeqifu carRental, an open-source car rental management system. This vulnerability affects the downloadShowFile function within the FileController component (com.yeqifu.sys.controller.FileController), accessible via the /file/downloadShowFile.action endpoint. By manipulating the path argument, an unauthenticated remote attacker can traverse the file system and access arbitrary files outside the intended directory structure.
Critical Impact
Remote attackers can exploit this path traversal vulnerability to read sensitive files from the server, potentially exposing configuration files, credentials, database connection strings, and other sensitive data stored on the system.
Affected Products
- yeqifu carRental up to commit 3fabb7eae93d209426638863980301d6f99866b3
- All versions using the vulnerable FileController component
- Systems exposing the /file/downloadShowFile.action endpoint
Discovery Timeline
- 2026-01-02 - CVE-2025-15432 published to NVD
- 2026-01-05 - Last updated in NVD database
Technical Details for CVE-2025-15432
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. The downloadShowFile function in the FileController class fails to properly sanitize or validate the path parameter before using it to access files on the server's file system.
When a user requests a file download through the /file/downloadShowFile.action endpoint, the application directly uses the user-supplied path parameter to construct the file path. Without proper validation, an attacker can inject directory traversal sequences (such as ../) to escape the intended directory and access files anywhere on the file system that the web application has permissions to read.
The vulnerability is particularly concerning because it can be exploited remotely over the network without requiring any authentication or user interaction. This means any attacker with network access to the vulnerable application can potentially extract sensitive files from the server.
Root Cause
The root cause of this vulnerability lies in insufficient input validation within the downloadShowFile function of the FileController class. The application fails to implement proper path canonicalization and validation checks that would prevent directory traversal sequences from being processed. The path parameter is passed directly to file system operations without:
- Sanitizing path traversal sequences (../, ..\, etc.)
- Validating that the resolved path remains within the intended directory
- Implementing allowlist-based path validation
- Properly canonicalizing the path before comparison
Attack Vector
The attack can be initiated remotely over the network. An attacker sends a crafted HTTP request to the /file/downloadShowFile.action endpoint with a malicious path parameter containing directory traversal sequences. The vulnerable function processes this input without proper validation, allowing access to files outside the intended download directory.
For example, an attacker could manipulate the path parameter to include sequences like ../../etc/passwd (on Linux systems) or ..\..\windows\system.ini (on Windows systems) to read sensitive system files. The attack requires no authentication and no user interaction, making it trivially exploitable once the vulnerable endpoint is identified.
Technical details and proof-of-concept information can be found in the GitHub Issue Discussion and the VulDB Entry #339354.
Detection Methods for CVE-2025-15432
Indicators of Compromise
- HTTP requests to /file/downloadShowFile.action containing ../ or ..\ sequences in the path parameter
- Unusual file access patterns in application logs showing attempts to access files outside normal directories
- Web server logs containing encoded traversal sequences such as %2e%2e%2f or %2e%2e/
- Access attempts to sensitive system files like /etc/passwd, /etc/shadow, or application configuration files
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing path traversal patterns
- Monitor application logs for requests to the downloadShowFile.action endpoint with suspicious path values
- Deploy intrusion detection systems (IDS) with signatures for path traversal attack patterns
- Enable detailed logging on the application to capture all file access requests and their parameters
Monitoring Recommendations
- Configure alerting for any requests to /file/downloadShowFile.action containing directory traversal characters
- Monitor file system access logs for reads of sensitive configuration files from the web application process
- Implement rate limiting on file download endpoints to slow potential enumeration attacks
- Review access logs regularly for patterns indicating systematic file system probing
How to Mitigate CVE-2025-15432
Immediate Actions Required
- Restrict access to the /file/downloadShowFile.action endpoint using network-level controls or authentication requirements
- Deploy a web application firewall (WAF) with rules to block path traversal sequences in request parameters
- If the application is not critical, consider taking it offline until a patch is available
- Audit system logs for evidence of previous exploitation attempts
Patch Information
At the time of publication, no official patch has been released by the vendor. According to the vulnerability report, the project maintainers were notified through a GitHub issue but have not responded. Since carRental uses a rolling release model, users should monitor the project's repository for commits addressing this vulnerability in the FileController class.
For additional technical details and vulnerability tracking, refer to the VulDB CTI entry.
Workarounds
- Implement input validation at the web server or reverse proxy level to reject requests containing path traversal sequences
- Configure a WAF rule to sanitize or block the path parameter when it contains ../, ..\, or URL-encoded equivalents
- Restrict the application's file system permissions to limit access to only necessary directories
- Consider implementing a custom filter or interceptor to validate file paths before they reach the controller
# Example: Apache mod_rewrite rule to block path traversal attempts
# Add to .htaccess or Apache configuration
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./) [NC,OR]
RewriteCond %{QUERY_STRING} (\.\.\\) [NC,OR]
RewriteCond %{QUERY_STRING} (%2e%2e%2f) [NC,OR]
RewriteCond %{QUERY_STRING} (%2e%2e/) [NC]
RewriteRule ^file/downloadShowFile\.action$ - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
