CVE-2025-7628 Overview
CVE-2025-7628 is a path traversal vulnerability [CWE-22] in YiJiuSmile kkFileViewOfficeEdit up to commit 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd. The flaw resides in the deleteFile function exposed through the /deleteFile endpoint. An attacker can manipulate the fileName parameter to traverse outside the intended directory and delete arbitrary files on the host. The issue is remotely reachable and the exploit details have been disclosed publicly. Because the project follows a rolling release model, no fixed version identifier is published by the vendor.
Critical Impact
Remote attackers with low privileges can delete arbitrary files on the server by injecting traversal sequences into the fileName parameter of /deleteFile.
Affected Products
- YiJiuSmile kkFileViewOfficeEdit (rolling release)
- Builds up to and including commit 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd
- Deployments exposing the /deleteFile endpoint to untrusted networks
Discovery Timeline
- 2025-07-14 - CVE-2025-7628 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7628
Vulnerability Analysis
The vulnerability exists in the deleteFile handler bound to the /deleteFile route. The handler accepts a user-controlled fileName argument and uses it to construct a filesystem path without normalizing or constraining it to an allow-listed directory. Supplying traversal sequences such as ../ causes the resolved path to escape the intended file storage directory. The endpoint then performs a delete operation on the resolved path, removing files the application user account can access. The attacker requires network reachability to the application and authenticated context at a low privilege level based on the published vector. Successful exploitation does not yield code execution but compromises integrity and availability by removing configuration, log, or data files.
Root Cause
The root cause is missing canonicalization and validation of the fileName input. The code joins user input directly with a base directory string instead of resolving the canonical path and verifying it remains within the intended base.
Attack Vector
An attacker sends an HTTP request to /deleteFile with a crafted fileName value containing ../ sequences or an absolute path. The server resolves the path outside the storage root and deletes the targeted file. Repeated requests can be used to remove application binaries, templates, or log evidence.
No verified exploit code is published in the enriched references. See the GitHub Issue Report and VulDB #316329 for additional technical context.
Detection Methods for CVE-2025-7628
Indicators of Compromise
- HTTP requests to /deleteFile containing ../, ..\\, URL-encoded variants such as %2e%2e%2f, or absolute path values in the fileName parameter.
- Unexpected file deletions in directories outside the kkFileViewOfficeEdit storage root, including configuration, log, or system paths.
- Web server access logs showing the kkFileViewOfficeEdit service account performing delete operations on non-document paths.
Detection Strategies
- Inspect application and reverse-proxy logs for POST or GET requests to /deleteFile with traversal patterns in query strings or bodies.
- Add a WAF or reverse-proxy rule that flags any fileName parameter containing path separators, dot segments, or non-document file extensions.
- Run filesystem integrity monitoring across directories adjacent to the kkFileViewOfficeEdit installation to surface unauthorized deletions.
Monitoring Recommendations
- Alert when the kkFileViewOfficeEdit process performs unlink or equivalent syscalls outside its configured document directory.
- Centralize web access logs and correlate /deleteFile activity with source IP reputation and authentication events.
- Track file-deletion volume per session and alert on bursts that exceed normal user behavior.
How to Mitigate CVE-2025-7628
Immediate Actions Required
- Restrict network exposure of the /deleteFile endpoint to trusted users and internal networks only.
- Place the application behind a reverse proxy that rejects requests containing path traversal sequences in any parameter.
- Run the kkFileViewOfficeEdit process under a least-privileged service account that cannot delete files outside its document directory.
- Audit the host for unauthorized file deletions and restore from backup where required.
Patch Information
The project uses a rolling release model and no versioned fix is listed in the advisory. Monitor the upstream repository and the GitHub Issue Report for a patched commit. Once published, rebuild from a commit later than 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd that introduces path canonicalization on the fileName argument.
Workarounds
- Apply a local code patch that resolves fileName with a canonical-path API and rejects any result not prefixed by the configured storage root.
- Enforce an allow-list of permitted file extensions and reject any input containing /, \\, :, or .. characters.
- Disable the /deleteFile route entirely if delete functionality is not required in the deployment.
- Use mandatory access controls such as AppArmor or SELinux to constrain the application to its document directory.
# Example reverse-proxy rule (nginx) to block traversal in fileName
location /deleteFile {
if ($arg_fileName ~* "(\.\.|%2e%2e|/|\\\\)") {
return 400;
}
proxy_pass http://kkfileview_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

