CVE-2025-45145 Overview
CVE-2025-45145 is a directory traversal vulnerability in Follett Software's Destiny Library Manager. The flaw exists in version 22_0_2_rc1 and is fixed in version 22.5 AU1. Remote, unauthenticated attackers can abuse the image parameter to read arbitrary system and application files on the underlying host. The vulnerability is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Destiny Library Manager is widely deployed in K-12 school districts to manage library catalogs and resources, making exposed instances attractive targets for data theft.
Critical Impact
Unauthenticated remote attackers can read arbitrary files, including configuration files containing credentials, application source code, and operating system files.
Affected Products
- Follett Destiny Library Manager version 22_0_2_rc1
- Earlier Destiny Library Manager releases sharing the vulnerable image parameter handler
- Fixed in Destiny Library Manager version 22.5 AU1
Discovery Timeline
- 2026-05-22 - CVE-2025-45145 published to NVD
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2025-45145
Vulnerability Analysis
The vulnerability is an unauthenticated local file inclusion reachable through the image HTTP parameter. The application accepts a user-supplied filename and passes it to a file-read routine without validating that the resolved path stays within an intended directory. By supplying traversal sequences such as ../, an attacker can escape the image directory and reference arbitrary paths on the file system.
Because no authentication is required, any network-reachable Destiny instance is exposed. The attacker only needs HTTP access to the vulnerable endpoint to retrieve files the application service account can read. Public technical analysis is available in the Medium write-up by Jared Boswell.
Root Cause
The root cause is missing input sanitization on the image parameter. The handler concatenates the supplied value into a file path and opens it directly. There is no canonicalization step, no allowlist of permitted filenames, and no check that the final path resolves under the static image directory. This pattern is the classic [CWE-22] failure mode.
Attack Vector
An attacker issues an HTTP GET request to the Destiny endpoint that serves images and supplies a traversal payload in the image parameter. Typical payloads use repeated ../ sequences to climb to the file system root, then reference targets such as /etc/passwd on Linux or configuration files containing database credentials, JDBC connection strings, or application secrets. The server returns the file contents in the HTTP response body. Refer to the public proof-of-concept for full request structure and example targets.
Detection Methods for CVE-2025-45145
Indicators of Compromise
- HTTP requests to Destiny endpoints containing image= with directory traversal sequences such as ../, ..%2f, or ..%5c.
- Web server access logs showing reads of sensitive files like web.xml, server.xml, JDBC properties files, or /etc/passwd.
- Unusual outbound transfer volumes from the Destiny server following requests against image-serving URLs.
Detection Strategies
- Inspect web server and reverse proxy logs for the image query parameter combined with path traversal tokens, including URL-encoded variants.
- Deploy WAF rules that decode and normalize the image parameter, then reject values containing .., absolute paths, or non-image extensions.
- Correlate repeated 200 responses to image endpoints returning non-image MIME types or unusually large text payloads.
Monitoring Recommendations
- Enable verbose HTTP request logging on the Destiny application and forward logs to a central SIEM for retention and search.
- Alert on access to file paths outside the documented Destiny image directory.
- Monitor the Destiny service account for unexpected file reads at the operating system level using file integrity or audit tooling.
How to Mitigate CVE-2025-45145
Immediate Actions Required
- Upgrade Destiny Library Manager to version 22.5 AU1 or later, which contains the vendor fix.
- Restrict network access to Destiny instances so only trusted school district networks can reach the application.
- Review web server logs from the past 90 days for traversal patterns against the image parameter and treat matches as suspected data exposure.
- Rotate any credentials, API keys, or database passwords that were stored in files readable by the Destiny service account.
Patch Information
Follett released the fix in Destiny Library Manager 22.5 AU1. Administrators should contact Follett support or consult the Follett official website for upgrade packages and release notes. Apply the update through the standard Destiny upgrade workflow and verify the running version after deployment.
Workarounds
- Place a reverse proxy or WAF in front of Destiny and block requests where image contains .., %2e%2e, or absolute path indicators.
- Restrict the Destiny service account file system permissions so it cannot read sensitive operating system or configuration files outside its application directory.
- Limit external exposure of the Destiny web interface using IP allowlisting or VPN-only access until the patch is applied.
# Example NGINX rule to block traversal in the image parameter
if ($arg_image ~* "(\.\./|\.\.\\|%2e%2e|/etc/|\\windows\\)") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
