Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-24019

CVE-2025-24019: Yeswiki Privilege Escalation Vulnerability

CVE-2025-24019 is a privilege escalation vulnerability in Yeswiki that allows authenticated users to delete critical system files via filemanager. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-24019 Overview

CVE-2025-24019 affects YesWiki, a PHP-based wiki system, in versions up to and including 4.4.5. The vulnerability allows any authenticated user to delete arbitrary files owned by the FastCGI Process Manager (FPM) user through the filemanager component. The flaw stems from missing filesystem scope validation [CWE-22], enabling path traversal during file deletion operations. Attackers can remove wiki content, deface the site, or destroy core PHP files such as index.php when www-data owns the application files. Version 4.5.0 contains the patch for this issue.

Critical Impact

Authenticated users can arbitrarily delete files on the host, resulting in data loss, defacement, and complete denial of access to the wiki when core PHP files are removed.

Affected Products

  • YesWiki versions up to and including 4.4.5
  • Standard installations where www-data owns YesWiki PHP files
  • Container deployments where FPM-owned files reside on shared volumes

Discovery Timeline

  • 2025-01-21 - CVE-2025-24019 published to NVD
  • 2025-05-09 - Last updated in NVD database

Technical Details for CVE-2025-24019

Vulnerability Analysis

The vulnerability resides in the YesWiki filemanager component, which fails to restrict file deletion operations to the wiki's intended directory scope. Any authenticated user can invoke the deletion functionality and target paths outside the managed upload directory. The FPM process (typically www-data) executes the deletion, so any file readable and writable by that user is reachable.

In default container builds, YesWiki PHP files are owned by root, which limits the blast radius to user-uploaded content. In standard bare-metal installations where www-data owns the application source, attackers can delete index.php, configuration files, and core libraries. The result is a complete loss of wiki availability until files are restored from backup.

Root Cause

The filemanager does not validate or canonicalize user-supplied file paths against an allow-listed base directory before invoking the deletion call. This is a classic path traversal flaw [CWE-22] applied to a destructive operation rather than a read primitive.

Attack Vector

An authenticated attacker submits a crafted request to the filemanager deletion endpoint specifying a relative or absolute path traversing outside the upload directory. The PHP process resolves the path and unlinks the target file with FPM user privileges. No additional privileges or user interaction beyond standard authentication are required. See the GitHub Security Advisory GHSA-43c9-gw4x-pcx6 for additional technical context.

Detection Methods for CVE-2025-24019

Indicators of Compromise

  • Unexpected unlink() or file deletion entries in PHP-FPM logs referencing paths outside the YesWiki upload directory.
  • Web server access logs showing POST requests to filemanager endpoints with path-traversal sequences such as ../ in parameters.
  • Missing core YesWiki files including index.php, wakka.config.php, or files under includes/.
  • HTTP 500 errors or blank pages following filemanager activity from low-privilege accounts.

Detection Strategies

  • Monitor web access logs for filemanager requests containing ../, encoded traversal sequences (%2e%2e), or absolute paths.
  • Enable PHP audit logging of unlink, rmdir, and related filesystem syscalls to correlate deletions with HTTP sessions.
  • Deploy file integrity monitoring on the YesWiki installation directory to alert on unauthorized changes to PHP source files.

Monitoring Recommendations

  • Alert on any modification or deletion of YesWiki core files outside maintenance windows.
  • Track authenticated user actions against the filemanager endpoint and flag bulk deletion patterns.
  • Review FPM process accounting for anomalous file removal volume per user session.

How to Mitigate CVE-2025-24019

Immediate Actions Required

  • Upgrade YesWiki to version 4.5.0 or later, which contains the official patch.
  • Audit existing user accounts and revoke access for untrusted or stale authenticated users.
  • Restore any deleted core files from backup and verify installation integrity before resuming public access.
  • Review web server and PHP-FPM logs for prior exploitation evidence.

Patch Information

The fix is delivered in YesWiki 4.5.0 via commit 3ddd833d. The patch constrains filemanager deletion operations to the intended scope and validates supplied paths against the upload directory.

Workarounds

  • Restrict file ownership so that www-data does not own the YesWiki PHP source tree; assign root or a separate user as the owner with read-only permissions for FPM.
  • Disable or remove access to the filemanager component for all non-administrative roles until upgrade is complete.
  • Place the YesWiki installation directory on a filesystem mounted with restrictive permissions for the FPM user.
bash
# Restrict YesWiki source ownership to limit deletion blast radius
sudo chown -R root:www-data /var/www/yeswiki
sudo find /var/www/yeswiki -type d -exec chmod 755 {} \;
sudo find /var/www/yeswiki -type f -exec chmod 644 {} \;
# Keep uploads writable by FPM only where required
sudo chown -R www-data:www-data /var/www/yeswiki/files

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne