CVE-2025-31131: Yeswiki Path Traversal vulnerability allows arbitrary read of files

April 1, 2025

The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. The payload ../../../../../../etc/passwd was submitted in the squelette parameter. The requested file was returned in the application’s response.

References

github.com/YesWiki/yeswiki
github.com/YesWiki/yeswiki/commit/f78c915369a60c74ab8f38561ae93a4aaca9b989
github.com/YesWiki/yeswiki/security/advisories/GHSA-w34w-fvp3-68xm
github.com/advisories/GHSA-w34w-fvp3-68xm
nvd.nist.gov/vuln/detail/CVE-2025-31131

Code Behaviors & Features

Detect and mitigate CVE-2025-31131 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →