CVE-2025-5385 Overview
A path traversal vulnerability has been identified in JeeWMS, an open-source warehouse management system developed by Huayi-tec. This vulnerability affects the doAdd function within the file /cgformTemplateController.do?doAdd, allowing attackers to manipulate file paths and potentially access or modify files outside the intended directory structure. The vulnerability can be exploited remotely by authenticated users.
Critical Impact
Remote attackers with low privileges can exploit this path traversal flaw to read or write files outside the intended directory, potentially leading to information disclosure, configuration tampering, or system compromise.
Affected Products
- Huayi-tec JeeWMS versions up to and including 20250504
- JeeWMS installations using the vulnerable cgformTemplateController.do endpoint
- All deployments with the doAdd function exposed to network access
Discovery Timeline
- 2025-05-31 - CVE-2025-5385 published to NVD
- 2025-09-11 - Last updated in NVD database
Technical Details for CVE-2025-5385
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in the JeeWMS warehouse management system, specifically within the form template controller functionality. The doAdd function in /cgformTemplateController.do?doAdd fails to properly sanitize user-supplied input, allowing attackers to inject directory traversal sequences (such as ../) to escape the intended file system boundaries.
The vulnerability is exploitable remotely over the network with low attack complexity. An attacker requires low-level privileges to exploit this flaw, meaning they need some form of authenticated access to the application. Once exploited, the attacker can potentially read sensitive configuration files, access stored credentials, or write malicious files to arbitrary locations on the server.
JeeWMS uses continuous delivery with rolling releases, which means specific version numbers are not tracked in traditional versioning schemes. This complicates patch tracking and version-based remediation efforts.
Root Cause
The root cause of this vulnerability is improper input validation in the doAdd function of the cgformTemplateController. The application fails to sanitize file path inputs, allowing directory traversal sequences to be processed without restriction. This lack of path canonicalization permits attackers to reference files and directories outside the application's intended scope.
Attack Vector
The attack vector for CVE-2025-5385 is network-based, requiring authenticated access to the JeeWMS application. An attacker can craft malicious requests to the /cgformTemplateController.do?doAdd endpoint with specially crafted path parameters containing traversal sequences.
The exploitation process involves:
- Authenticating to the JeeWMS application with valid credentials
- Sending a crafted HTTP request to the vulnerable endpoint
- Including directory traversal sequences in the file path parameter
- Accessing or manipulating files outside the intended directory
For detailed technical information about this vulnerability, refer to the Gitee Issue Report which contains the original vulnerability disclosure.
Detection Methods for CVE-2025-5385
Indicators of Compromise
- HTTP requests to /cgformTemplateController.do?doAdd containing path traversal sequences such as ../, ..%2f, or ..%5c
- Unusual file access patterns in web server logs indicating attempts to read system files like /etc/passwd or configuration files
- Anomalous file creation or modification in directories outside the JeeWMS application root
- Authentication logs showing repeated access to the form template controller from suspicious sources
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing directory traversal patterns
- Monitor access logs for requests to cgformTemplateController.do endpoints with suspicious path parameters
- Deploy file integrity monitoring (FIM) on critical system and application directories
- Configure intrusion detection systems (IDS) to alert on path traversal attack signatures targeting Java web applications
Monitoring Recommendations
- Enable detailed logging for all requests to the JeeWMS form controller endpoints
- Set up alerts for any file system access attempts outside the application's designated directories
- Monitor for successful exploitation attempts by tracking unusual file read/write operations
- Review authentication logs for accounts accessing the vulnerable endpoint with increased frequency
How to Mitigate CVE-2025-5385
Immediate Actions Required
- Restrict network access to the /cgformTemplateController.do endpoint using firewall rules or application-level access controls
- Implement input validation at the web application firewall level to block directory traversal sequences
- Review and limit user accounts with access to the form template controller functionality
- Enable additional logging and monitoring for the affected endpoint while awaiting a permanent fix
Patch Information
JeeWMS uses a continuous delivery model with rolling releases, which means traditional patch versioning is not available. Administrators should pull the latest version from the official repository and verify that the vulnerability has been addressed in recent commits. Monitor the Gitee Issue Report for updates on the fix status.
Additional vulnerability details can be found at VulDB #310678 and VulDB CTI #310678.
Workarounds
- Deploy a reverse proxy or WAF in front of JeeWMS to filter malicious path traversal patterns before they reach the application
- Restrict access to the cgformTemplateController.do endpoint to trusted IP addresses or internal networks only
- Implement application-level path validation by modifying the doAdd function to canonicalize and validate all file paths
- Consider temporarily disabling the form template functionality if it is not critical to operations
# Example WAF rule to block path traversal attempts (ModSecurity)
SecRule REQUEST_URI "@contains cgformTemplateController.do" \
"chain,id:100001,phase:2,deny,status:403,msg:'Path traversal attempt blocked'"
SecRule ARGS "@rx (\.\.\/|\.\.\\\\|%2e%2e%2f|%2e%2e%5c)" \
"t:none,t:urlDecodeUni,t:lowercase"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
