CVE-2025-66410: Gin-vue-admin has an arbitrary file deletion vulnerability

December 2, 2025

Attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the ‘FileMd5’ parameter to delete any file and folder

The affected code:

Click to open external image

Affected interfaces: /api/fileUploadAndDownload/removeChunk

POC: You can specify the FileMd5 value as the directory or file you want to delete

References

github.com/advisories/GHSA-jrhg-82w2-vvj7
github.com/flipped-aurora/gin-vue-admin
github.com/flipped-aurora/gin-vue-admin/commit/ee8d8d7e04d9c38a35a6969f20e75213e84f57c6
github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-jrhg-82w2-vvj7
nvd.nist.gov/vuln/detail/CVE-2025-66410

Code Behaviors & Features

Detect and mitigate CVE-2025-66410 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →