CVE-2025-8965 Overview
CVE-2025-8965 is an unrestricted file upload vulnerability affecting linlinjava litemall versions up to 1.8.0. The flaw resides in the create function within litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminStorageController.java. Attackers with low-level privileges can manipulate the File argument to upload arbitrary file types to the server, bypassing intended access control restrictions [CWE-284]. The exploit has been publicly disclosed, increasing the likelihood of opportunistic abuse against exposed administrative endpoints. The vulnerability is remotely exploitable over the network and impacts confidentiality, integrity, and availability at a limited level.
Critical Impact
Authenticated remote attackers can upload arbitrary files through the litemall admin storage endpoint, potentially enabling persistence or further compromise of the application server.
Affected Products
- linlinjava litemall versions up to and including 1.8.0
- litemall-admin-api component (AdminStorageController.java)
- Deployments exposing the storage create endpoint to networked users
Discovery Timeline
- 2025-08-14 - CVE-2025-8965 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-8965
Vulnerability Analysis
The vulnerability stems from missing or insufficient validation in the storage upload handler of the litemall administrative API. The create method in AdminStorageController.java accepts a File parameter without enforcing restrictions on file type, extension, or content. An authenticated attacker with administrative API access can submit arbitrary file payloads that the application persists to its storage backend. Because the endpoint is network-reachable, exploitation does not require local access. The vulnerability is classified under [CWE-284] (Improper Access Control), reflecting the absence of effective upload filtering. EPSS data places exploitation probability at 0.337%, indicating limited but non-zero predicted exploit activity.
Root Cause
The root cause is the absence of allowlist-based file type validation in the create handler of the AdminStorageController class. The endpoint relies on the caller to supply acceptable content, which violates secure-by-default principles for file ingestion. Without server-side enforcement of MIME type, extension, and magic-byte checks, malicious files can be persisted alongside legitimate assets.
Attack Vector
An attacker with valid low-privilege credentials sends an HTTP request to the administrative storage create endpoint. The request body contains a crafted File parameter referencing an arbitrary payload. The server accepts the upload and stores the file in the application storage directory. If the upload location is reachable through the web server or referenced by subsequent application logic, the attacker may use the persisted file to support follow-on actions. No exploitation code has been verified in a public repository; refer to the GitHub Issue Report for vendor discussion.
Detection Methods for CVE-2025-8965
Indicators of Compromise
- Unexpected files with executable or script extensions written to the litemall storage directory by the admin API process.
- HTTP POST requests to the admin storage create endpoint from unusual source addresses or service accounts.
- Newly created files in storage whose MIME type or magic bytes do not match the declared content type.
Detection Strategies
- Inspect application logs for calls to the AdminStorageController.create method and correlate with the uploaded filename and originating user.
- Compare uploaded file extensions against an expected allowlist (images, documents) and alert on deviations.
- Monitor outbound or in-process file reads from the storage directory that result in code execution or script interpretation.
Monitoring Recommendations
- Enable verbose request logging on the litemall admin API and forward logs to a centralized analytics platform.
- Baseline normal upload patterns by admin user and alert on volume or file-type anomalies.
- Track filesystem changes in the litemall storage path using integrity monitoring agents.
How to Mitigate CVE-2025-8965
Immediate Actions Required
- Restrict network exposure of the litemall admin API to trusted management networks or VPN-accessible segments.
- Rotate administrative credentials and audit accounts that have access to the storage create endpoint.
- Review the application storage directory for files added since deployment and remove any unauthorized artifacts.
Patch Information
No official patched release has been published in the enriched data at time of writing. Track the upstream GitHub Issue Report and GitHub Issue Discussion for vendor remediation. Operators should plan to upgrade once a fixed version of litemall is released and validated.
Workarounds
- Place the litemall admin API behind an authenticating reverse proxy that enforces extension and MIME allowlists at the edge.
- Configure the web server to refuse execution of scripts within the litemall storage directory, for example by disabling handler mappings for .jsp, .php, and similar extensions.
- Apply a custom servlet filter ahead of AdminStorageController that validates uploaded file extensions and magic bytes against an allowlist of expected image types.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

