Skip to main content
CVE Vulnerability Database

CVE-2025-7566: Jishenghua Jsherp Path Traversal Flaw

CVE-2025-7566 is a critical path traversal vulnerability in jshERP up to version 3.5 affecting the exportExcelByParam function. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-7566 Overview

CVE-2025-7566 is a path traversal vulnerability [CWE-22] affecting jshERP versions up to 3.5. The flaw resides in the exportExcelByParam function within /src/main/java/com/jsh/erp/controller/SystemConfigController.java. Attackers manipulate the Title parameter to traverse directory boundaries during Excel export operations. The vulnerability requires high privileges but can be exploited remotely over the network. A public proof-of-concept has been disclosed, increasing exposure for unpatched deployments. The vendor, jishenghua, was contacted prior to public disclosure but did not respond.

Critical Impact

Authenticated remote attackers can traverse the file system through the Title parameter, enabling unauthorized read or write access to files outside the intended export directory.

Affected Products

  • jishenghua jsherp versions up to and including 3.5
  • Component: SystemConfigController.java
  • Vulnerable function: exportExcelByParam

Discovery Timeline

  • 2025-07-14 - CVE-2025-7566 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7566

Vulnerability Analysis

The vulnerability stems from improper sanitization of the Title argument passed to the exportExcelByParam function in jshERP's SystemConfigController. The function uses the user-supplied Title value to construct a file path for the exported Excel document. Because the input is not validated against directory traversal sequences such as ../, an authenticated attacker can redirect file operations outside the intended export directory.

The attack is network-accessible and requires no user interaction. According to the CVSS 4.0 vector, both confidentiality and integrity impacts are limited in scope, but the public availability of a proof-of-concept raises the practical risk for exposed deployments. The EPSS probability is 0.573% with a percentile of 42.8.

Root Cause

The root cause is missing input validation on the Title parameter before it is concatenated into a file path. jshERP does not canonicalize the resulting path or restrict it to a safe base directory. Sequences such as ..\ or ../ traverse parent directories, breaking the intended containment of the export workflow.

Attack Vector

An authenticated attacker submits a crafted HTTP request to the export endpoint backed by exportExcelByParam. The Title field carries traversal sequences that resolve to attacker-chosen locations on the server file system. Depending on application permissions, this allows writing the generated Excel file to arbitrary locations or referencing files outside the export root. Technical reproduction steps are published in the GitHub Proof of Concept.

Detection Methods for CVE-2025-7566

Indicators of Compromise

  • HTTP requests to jshERP endpoints containing ../, ..\, or URL-encoded variants (%2e%2e%2f) in the Title parameter
  • Excel files written to unexpected directories outside the configured jshERP export path
  • Authentication logs showing privileged accounts performing repeated export operations with unusual parameter values

Detection Strategies

  • Inspect application and web server logs for requests targeting SystemConfigController endpoints with suspicious Title values
  • Deploy web application firewall rules that detect directory traversal patterns in POST bodies and query strings
  • Correlate file system creation events on the jshERP host with corresponding HTTP request logs to identify out-of-bounds writes

Monitoring Recommendations

  • Enable verbose request logging for all jshERP controller endpoints handling file generation
  • Monitor file creation events outside the designated export directory using file integrity monitoring
  • Alert on privileged account activity that deviates from baseline export behavior

How to Mitigate CVE-2025-7566

Immediate Actions Required

  • Restrict network access to jshERP administrative endpoints to trusted users and networks only
  • Audit existing administrative accounts and rotate credentials for any account with access to export functionality
  • Review file system contents for unauthorized files written by the jshERP application process

Patch Information

No vendor patch is currently available. The vendor jishenghua was contacted regarding this vulnerability but did not respond. Organizations running jshERP 3.5 or earlier should track the VulDB advisory for patch release updates and consider compensating controls in the interim.

Workarounds

  • Place jshERP behind a reverse proxy or WAF that filters directory traversal patterns in request parameters
  • Run the jshERP application process under a least-privilege account with restricted write access to non-export directories
  • Apply operating system level access controls limiting the application's ability to write outside designated export paths
  • Disable or restrict access to the exportExcelByParam functionality if it is not required for business operations

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.