CVE-2025-24019: Authenticated arbitrary file deletion in YesWiki
It is possible for any authenticated user, through the use of the filemanager to delete any file owned by the user running the FastCGI Process Manager (FPM) on the host without any limitation on the filesystem’s scope.
This Proof of Concept has been performed using the followings:
- YesWiki v4.4.5 (
doryphore-dev
branch, latest) - Docker environnment (
docker/docker-compose.yml
) - Docker v27.5.0
- Default installation
References
Detect and mitigate CVE-2025-24019 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →