CVE-2025-65879 Overview
CVE-2025-65879 is an authenticated arbitrary file deletion vulnerability in Yeqifu Warehouse Management System 1.2. The flaw resides in the /goods/deleteGoods endpoint, which accepts a user-controlled goodsimg parameter. The application concatenates this parameter with the server's UPLOAD_PATH and passes the result to Java's File.delete() without validation or sanitization. A remote authenticated attacker can supply directory traversal payloads to delete arbitrary files on the server. This weakness maps to CWE-22: Improper Limitation of a Pathname to a Restricted Directory.
Critical Impact
Authenticated attackers can remotely delete arbitrary files on the host, leading to data loss, application corruption, or denial of service.
Affected Products
- Yeqifu Warehouse Management System 1.2
- Deployments exposing the /goods/deleteGoods endpoint
- Instances where authenticated user accounts can be obtained or registered
Discovery Timeline
- 2025-12-05 - CVE-2025-65879 published to NVD
- 2025-12-12 - Last updated in NVD database
Technical Details for CVE-2025-65879
Vulnerability Analysis
The vulnerability exists in the goods deletion workflow of Yeqifu Warehouse Management System 1.2. When a client invokes /goods/deleteGoods, the backend reads the goodsimg request parameter and appends it directly to a server-side base directory variable (UPLOAD_PATH). The resulting path is handed to File.delete() with no canonicalization, allow-list check, or traversal sanitization. Because the parameter is fully attacker-controlled, any path the application process can reach on disk is reachable for deletion.
Exploitation requires only low-privilege authentication. An attacker submits a goodsimg value containing relative traversal sequences such as ../ segments to escape UPLOAD_PATH and reference sensitive files outside the upload directory. Targets include application configuration files, JAR libraries, database files, and operating system artifacts writable by the service account.
Root Cause
The root cause is missing input validation on a filesystem-bound parameter. The application trusts a user-supplied string as a safe relative filename and performs no path normalization before invoking File.delete(). There is no constraint that the resolved path remain inside the intended upload directory, and no allow-list of permitted filenames.
Attack Vector
The attack vector is network-based against the HTTP API. The attacker authenticates with any valid account, then issues a request to /goods/deleteGoods with a crafted goodsimg parameter containing directory traversal sequences. Each successful request removes one targeted file. Repeated requests can chain into broader application or system disruption. Technical discussion is available in the GitHub Issue Discussion.
Detection Methods for CVE-2025-65879
Indicators of Compromise
- HTTP requests to /goods/deleteGoods with goodsimg parameter values containing ../, ..\, URL-encoded variants such as %2e%2e%2f, or absolute paths
- Unexpected deletion of files outside the configured UPLOAD_PATH directory
- Application errors, missing configuration files, or service failures following authenticated user activity
- Audit log entries showing low-privilege users invoking deletion endpoints at unusual frequency
Detection Strategies
- Inspect web access logs for goodsimg parameter values that include traversal tokens or path separators
- Correlate file deletion events on the host with application request logs to identify deletions originating from the WMS process
- Establish file integrity monitoring on application binaries, configuration files, and the parent directories of UPLOAD_PATH
Monitoring Recommendations
- Forward application and web server logs to a centralized analytics platform and alert on traversal patterns in request parameters
- Monitor the service account's filesystem activity for deletions outside the intended upload directory
- Track authenticated session activity for anomalous volumes of /goods/deleteGoods calls per user
How to Mitigate CVE-2025-65879
Immediate Actions Required
- Restrict network access to the Warehouse Management System to trusted users until a vendor fix is applied
- Audit and reduce the number of authenticated accounts that can reach /goods/deleteGoods
- Run the application service under a least-privilege account whose write and delete permissions are limited to UPLOAD_PATH
- Back up application configuration files, databases, and upload directories so deletions can be reversed
Patch Information
No vendor patch or advisory was referenced in the NVD entry at the time of publication. Monitor the upstream project and the GitHub Issue Discussion for fix updates. Until a patched release is available, apply the workarounds below.
Workarounds
- Deploy a web application firewall rule that blocks requests to /goods/deleteGoods when the goodsimg parameter contains .., /, \, or URL-encoded equivalents
- Apply filesystem ACLs that prevent the application service account from deleting files outside UPLOAD_PATH
- If the deletion functionality is not required, disable or remove the /goods/deleteGoods route at the reverse proxy or application layer
- Validate the goodsimg value against an allow-list of filenames retrieved from the database before any filesystem operation
# Example reverse-proxy filter (nginx) to block traversal payloads on the vulnerable endpoint
location /goods/deleteGoods {
if ($arg_goodsimg ~* "(\.\./|\.\.\\|%2e%2e|/|\\)") {
return 403;
}
proxy_pass http://wms_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

