CVE-2025-24019: Authenticated arbitrary file deletion in YesWiki

January 21, 2025

It is possible for any authenticated user, through the use of the filemanager to delete any file owned by the user running the FastCGI Process Manager (FPM) on the host without any limitation on the filesystem’s scope.

This Proof of Concept has been performed using the followings:

YesWiki v4.4.5 (doryphore-dev branch, latest)
Docker environnment (docker/docker-compose.yml)
Docker v27.5.0
Default installation

References

github.com/YesWiki/yeswiki
github.com/YesWiki/yeswiki/commit/3ddd833d22703caf9025659eb174f7765df7147c
github.com/YesWiki/yeswiki/security/advisories/GHSA-43c9-gw4x-pcx6
github.com/advisories/GHSA-43c9-gw4x-pcx6
nvd.nist.gov/vuln/detail/CVE-2025-24019

Code Behaviors & Features

Detect and mitigate CVE-2025-24019 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →