CVE-2025-31131
published 2025-04-01CVE-2025-31131: YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the…
PriorityP259high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
5.40%
91.7th percentile
YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. This vulnerability is fixed in 4.5.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yeswiki | yeswiki | < 4.5.2 | 4.5.2 |
| yeswiki | yeswiki | >= 0 < 4.5.2 | 4.5.2 |
Detection & IOCsextracted from sources · hover to see the quote
url/?UrkCEO/edit&theme=margot&squelette=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&style=margot.css
othersquelette=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
- →Detect path traversal exploitation attempts against YesWiki via the 'squelette' GET parameter containing URL-encoded directory traversal sequences (..%2f). ↗
- →HTTP response header 'YesWiki-main' is present on vulnerable YesWiki instances and can be used as a fingerprint to confirm target applicability.
- →Shodan query 'html:"yeswiki"' can be used to identify internet-exposed YesWiki instances potentially vulnerable to this CVE.
- →Successful exploitation returns /etc/passwd content in the HTTP response body; monitor for the regex pattern 'root:.*:0:0:' in responses to requests containing the squelette traversal payload.
- →The vulnerability is unauthenticated (PR:N, UI:N per CVSS), so no session or credentials are required — any request with a traversal squelette parameter should be treated as suspicious.
- ·The vulnerability is fixed in YesWiki version 4.5.2; instances running versions prior to 4.5.2 are affected. Version detection should be part of triage. ↗
- ·The Nuclei template uses a single HTTP request (max-request: 1), meaning detection is lightweight but relies on both the YesWiki-main response header AND the passwd regex match being present simultaneously.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Yeswiki Path Traversal vulnerability allows arbitrary read of files
osv·2025-04-01
CVE-2025-31131 [HIGH] Yeswiki Path Traversal vulnerability allows arbitrary read of files
Yeswiki Path Traversal vulnerability allows arbitrary read of files
### Summary
The `squelette` parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. The payload `../../../../../../etc/passwd` was submitted in the `squelette` parameter. The requested file was returned in the application's response.
### Details
File path traversal vulnerabilities arise when user-controllable data is used within a filesystem operation in an unsafe manner. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file. If vulnerable, an attacker can supply path traversal sequences (using dot-dot-slash characters) to break out of the intended directory and read or write files elsewhere on the filesyste
GHSA
Yeswiki Path Traversal vulnerability allows arbitrary read of files
ghsa·2025-04-01
CVE-2025-31131 [HIGH] CWE-22 Yeswiki Path Traversal vulnerability allows arbitrary read of files
Yeswiki Path Traversal vulnerability allows arbitrary read of files
### Summary
The `squelette` parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. The payload `../../../../../../etc/passwd` was submitted in the `squelette` parameter. The requested file was returned in the application's response.
### Details
File path traversal vulnerabilities arise when user-controllable data is used within a filesystem operation in an unsafe manner. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file. If vulnerable, an attacker can supply path traversal sequences (using dot-dot-slash characters) to break out of the intended directory and read or write files elsewhere on the filesyste
No detection rules found.
Exploit-DB
YesWiki 4.5.1 - Unauthenticated Path Traversal
exploitdb·2025-04-07·CVSS 8.6
CVE-2025-31131 [HIGH] YesWiki 4.5.1 - Unauthenticated Path Traversal
YesWiki 4.5.1 - Unauthenticated Path Traversal
---
# Exploit Title: YesWiki [file_to_read]")
print(f"Example: python3 {sys.argv[0]} http://victim.com
/etc/passwd")
sys.exit(1)
target_url = sys.argv[1]
file_to_read = sys.argv[2] if len(sys.argv) > 2 else "/etc/passwd"
exploit(target_url, file_to_read)
Nuclei
Yeswiki < 4.5.2 - Unauthenticated Path Traversal
nuclei·CVSS 7.5
CVE-2025-31131 [HIGH] Yeswiki < 4.5.2 - Unauthenticated Path Traversal
Yeswiki < 4.5.2 - Unauthenticated Path Traversal
YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
Template:
id: CVE-2025-31131
info:
name: Yeswiki < 4.5.2 - Unauthenticated Path Traversal
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
impact: |
Unauthenticated attackers can exploit path traversal through the squelette parameter to read arbitrary files from the YesWiki server, potentially exposing sensitive configuration and data files.
remediation: |
This vulnerability is fixed in 4.5.2.
referen
No writeups or analysis indexed.
2025-04-01
Published