Vulnerability Description
A security flaw has been discovered in lostvip-com ruoyi-go up to 2.1. Impacted is the function DownloadTmp/DownloadUpload of the file modules/system/controller/CommonController.go. Performing manipulation of the argument fileName results in path traversal. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lostvip | Ruoyi-Go | <= 2.1 |
Related Weaknesses (CWE)
References
- https://github.com/on-theway/cve/issues/1Broken Link
- https://github.com/on-theway/cve/issues/2Broken Link
- https://vuldb.com/?ctiid.321250Permissions RequiredVDB Entry
- https://vuldb.com/?id.321250Third Party AdvisoryVDB Entry
- https://vuldb.com/?submit.633661Third Party AdvisoryVDB Entry
- https://vuldb.com/?submit.633663Third Party AdvisoryVDB Entry
FAQ
What is CVE-2025-9409?
CVE-2025-9409 is a vulnerability with a CVSS score of 4.3 (MEDIUM). A security flaw has been discovered in lostvip-com ruoyi-go up to 2.1. Impacted is the function DownloadTmp/DownloadUpload of the file modules/system/controller/CommonController.go. Performing manipul...
How severe is CVE-2025-9409?
CVE-2025-9409 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-9409?
Check the references section above for vendor advisories and patch information. Affected products include: Lostvip Ruoyi-Go.