CVE-2025-7566 Overview
CVE-2025-7566 is a path traversal vulnerability [CWE-22] affecting jshERP versions up to 3.5. The flaw resides in the exportExcelByParam function within /src/main/java/com/jsh/erp/controller/SystemConfigController.java. Attackers manipulate the Title parameter to traverse directory boundaries during Excel export operations. The vulnerability requires high privileges but can be exploited remotely over the network. A public proof-of-concept has been disclosed, increasing exposure for unpatched deployments. The vendor, jishenghua, was contacted prior to public disclosure but did not respond.
Critical Impact
Authenticated remote attackers can traverse the file system through the Title parameter, enabling unauthorized read or write access to files outside the intended export directory.
Affected Products
- jishenghua jsherp versions up to and including 3.5
- Component: SystemConfigController.java
- Vulnerable function: exportExcelByParam
Discovery Timeline
- 2025-07-14 - CVE-2025-7566 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7566
Vulnerability Analysis
The vulnerability stems from improper sanitization of the Title argument passed to the exportExcelByParam function in jshERP's SystemConfigController. The function uses the user-supplied Title value to construct a file path for the exported Excel document. Because the input is not validated against directory traversal sequences such as ../, an authenticated attacker can redirect file operations outside the intended export directory.
The attack is network-accessible and requires no user interaction. According to the CVSS 4.0 vector, both confidentiality and integrity impacts are limited in scope, but the public availability of a proof-of-concept raises the practical risk for exposed deployments. The EPSS probability is 0.573% with a percentile of 42.8.
Root Cause
The root cause is missing input validation on the Title parameter before it is concatenated into a file path. jshERP does not canonicalize the resulting path or restrict it to a safe base directory. Sequences such as ..\ or ../ traverse parent directories, breaking the intended containment of the export workflow.
Attack Vector
An authenticated attacker submits a crafted HTTP request to the export endpoint backed by exportExcelByParam. The Title field carries traversal sequences that resolve to attacker-chosen locations on the server file system. Depending on application permissions, this allows writing the generated Excel file to arbitrary locations or referencing files outside the export root. Technical reproduction steps are published in the GitHub Proof of Concept.
Detection Methods for CVE-2025-7566
Indicators of Compromise
- HTTP requests to jshERP endpoints containing ../, ..\, or URL-encoded variants (%2e%2e%2f) in the Title parameter
- Excel files written to unexpected directories outside the configured jshERP export path
- Authentication logs showing privileged accounts performing repeated export operations with unusual parameter values
Detection Strategies
- Inspect application and web server logs for requests targeting SystemConfigController endpoints with suspicious Title values
- Deploy web application firewall rules that detect directory traversal patterns in POST bodies and query strings
- Correlate file system creation events on the jshERP host with corresponding HTTP request logs to identify out-of-bounds writes
Monitoring Recommendations
- Enable verbose request logging for all jshERP controller endpoints handling file generation
- Monitor file creation events outside the designated export directory using file integrity monitoring
- Alert on privileged account activity that deviates from baseline export behavior
How to Mitigate CVE-2025-7566
Immediate Actions Required
- Restrict network access to jshERP administrative endpoints to trusted users and networks only
- Audit existing administrative accounts and rotate credentials for any account with access to export functionality
- Review file system contents for unauthorized files written by the jshERP application process
Patch Information
No vendor patch is currently available. The vendor jishenghua was contacted regarding this vulnerability but did not respond. Organizations running jshERP 3.5 or earlier should track the VulDB advisory for patch release updates and consider compensating controls in the interim.
Workarounds
- Place jshERP behind a reverse proxy or WAF that filters directory traversal patterns in request parameters
- Run the jshERP application process under a least-privilege account with restricted write access to non-export directories
- Apply operating system level access controls limiting the application's ability to write outside designated export paths
- Disable or restrict access to the exportExcelByParam functionality if it is not required for business operations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

