CVE-2025-2917 Overview
CVE-2025-2917 is a path traversal vulnerability [CWE-22] affecting ChestnutCMS versions up to and including 1.5.3. The flaw resides in the readFile function of the /dev-api/cms/file/read endpoint. Attackers manipulate the filePath argument to escape the intended directory and read arbitrary files from the underlying server. The vulnerability is remotely exploitable and requires only low-level authentication privileges. Public disclosure of the exploit details has occurred through a Notion writeup and VulDB submission, increasing the likelihood of opportunistic exploitation against exposed instances.
Critical Impact
Authenticated remote attackers can read arbitrary files from the ChestnutCMS server, exposing configuration files, credentials, and source code that may enable further compromise.
Affected Products
- 1000mz ChestnutCMS versions up to 1.5.3
- Deployments exposing the /dev-api/cms/file/read endpoint
- Web applications built on the affected ChestnutCMS framework
Discovery Timeline
- 2025-03-28 - CVE-2025-2917 published to NVD
- 2025-06-09 - Last updated in NVD database
Technical Details for CVE-2025-2917
Vulnerability Analysis
The vulnerability stems from improper sanitization of user-controlled input in the file read functionality of ChestnutCMS. The readFile function accepts a filePath parameter through the /dev-api/cms/file/read endpoint without validating directory boundaries. Attackers supply traversal sequences such as ../ to navigate outside the intended file directory. The endpoint then returns the contents of any file accessible to the application process. The EPSS score sits at approximately 0.399%, placing it in the 60th percentile for exploitation likelihood among scored CVEs.
Root Cause
The root cause is missing input validation on the filePath parameter [CWE-22]. ChestnutCMS does not canonicalize the supplied path or restrict reads to a whitelisted base directory. The application trusts the parameter value and passes it directly to file read operations.
Attack Vector
An authenticated attacker sends a crafted HTTP request to the /dev-api/cms/file/read endpoint with a filePath value containing directory traversal sequences. The server resolves the path and returns the file contents in the response. Targets of interest include application configuration files containing database credentials, system files such as /etc/passwd on Linux hosts, and application source code. The exploit has been publicly disclosed in a Notion Vulnerability Report and indexed at VulDB #301890.
Detection Methods for CVE-2025-2917
Indicators of Compromise
- HTTP requests to /dev-api/cms/file/read containing ../ or URL-encoded traversal sequences such as %2e%2e%2f in the filePath parameter
- Outbound responses from ChestnutCMS returning content from sensitive files like /etc/passwd, application.yml, or web.config
- Unusual access patterns to the file read endpoint from a single source IP across short intervals
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect the filePath parameter for traversal sequences and reject canonicalized paths outside the application root
- Monitor application access logs for /dev-api/cms/file/read requests and alert on parameter values containing .., null bytes, or absolute paths
- Correlate file read endpoint access with authenticated session activity to identify abuse from compromised low-privilege accounts
Monitoring Recommendations
- Enable verbose logging on the ChestnutCMS API gateway and forward logs to a centralized SIEM for retention and analysis
- Establish a baseline of normal filePath parameter values and alert on deviations
- Track file system audit events for application service accounts reading files outside expected directories
How to Mitigate CVE-2025-2917
Immediate Actions Required
- Restrict network access to the /dev-api/cms/file/read endpoint to trusted administrative networks only
- Audit ChestnutCMS user accounts and revoke unnecessary low-privilege access that could be leveraged to authenticate against the vulnerable endpoint
- Review application logs for prior exploitation attempts targeting the filePath parameter
Patch Information
At the time of the NVD publication, no vendor advisory URL was listed for ChestnutCMS. Administrators should monitor the 1000mz ChestnutCMS project for a release addressing the path traversal flaw and upgrade to a fixed version above 1.5.3 when available.
Workarounds
- Place a reverse proxy or WAF in front of ChestnutCMS to block requests where the filePath parameter contains ../, encoded traversal sequences, or absolute file paths
- Run the ChestnutCMS process under a dedicated low-privilege user account with file system access limited to the application directory
- Apply operating system level mandatory access controls such as AppArmor or SELinux to constrain which files the application can read
# Example nginx rule to block path traversal in filePath parameter
location /dev-api/cms/file/read {
if ($arg_filePath ~* "(\.\./|\.\.\\|%2e%2e|/etc/|/proc/)") {
return 403;
}
proxy_pass http://chestnutcms_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

