CVE-2025-46822
published 2025-05-21CVE-2025-46822: OsamaTaher/Java-springboot-codebase is a collection of Java and Spring Boot code snippets, applications, and projects. Prior to commit…
PriorityP259high7.7CVSS 4.0
AVNACLATNPRNUINVCHVINVANSCNSINSANEPCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
3.85%
88.8th percentile
OsamaTaher/Java-springboot-codebase is a collection of Java and Spring Boot code snippets, applications, and projects. Prior to commit c835c6f7799eacada4c0fc77e0816f250af01ad2, insufficient path traversal mechanisms make absolute path traversal possible. This vulnerability allows unauthorized access to sensitive internal files. Commit c835c6f7799eacada4c0fc77e0816f250af01ad2 contains a patch for the issue.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | azl3_kernel_6.6.47.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.51.1-5_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_kernel_5.15.164.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kernel_5.15.167.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_libjpeg-turbo_2.1.2-1_on_cbl_mariner_1.0 | — | — |
| osamataher | java-springboot-codebase | < c835c6f7799eacada4c0fc77e0816f250af01ad2 | c835c6f7799eacada4c0fc77e0816f250af01ad2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP GET requests to the /api/v1/files/ endpoint where the path component is an absolute path (starts with URL-encoded or literal '/'), indicating an absolute path traversal attempt against CVE-2025-46822. ↗
- →Fingerprint vulnerable Spring Boot instances by checking for 'Whitelabel Error Page' or 'explicit mapping' strings in the HTTP response body of the root path GET /. ↗
- →Flag HTTP 200 responses to /api/v1/files/ requests whose body matches the pattern 'root:.*:0:0:' as successful arbitrary file read exploitation. ↗
- →The exploit URL-encodes the absolute file path before appending it to the endpoint; monitor for percent-encoded path separators (e.g., %2F) in requests to /api/v1/files/. ↗
- ·The patch is tied to a specific commit; instances not yet updated to commit c835c6f7799eacada4c0fc77e0816f250af01ad2 remain vulnerable. Verify the deployed commit hash before assuming remediation. ↗
CVSS provenance
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_msrc5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry
vendor_msrc·2024-09-10·CVSS 5.5
CVE-2024-46822 [MEDIUM] CWE-476 arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry
arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Linux: Linux
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: h
Microsoft
The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This
vendor_msrc·2022-06-14·CVSS 5.5
CVE-2021-46822 [MEDIUM] CWE-787 The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This
The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post f
No detection rules found.
Exploit-DB
Java-springboot-codebase 1.1 - Arbitrary File Read
exploitdb·2025-05-25·CVSS 7.7
CVE-2025-46822 [HIGH] Java-springboot-codebase 1.1 - Arbitrary File Read
Java-springboot-codebase 1.1 - Arbitrary File Read
---
# Exploit Title: Java-springboot-codebase 1.1 - Arbitrary File Read
# Google Dork:
# Date: 23/May/2025
# Exploit Author: d3sca
# Vendor Homepage: https://github.com/OsamaTaher/Java-springboot-codebase
# Software Link: https://github.com/OsamaTaher/Java-springboot-codebase
# Version: [app version] 1.1
# Tested on: Debian Linux
# CVE : CVE-2025-46822
#usage: python3 cve-2025-46822.py http://victim.com /etc/passwd
import argparse
import requests
from urllib.parse import quote
def exploit(target, file_path, output=None):
# Ensure the file path is absolute
if not file_path.startswith('/'):
print("[!] Warning: File path is not absolute. Prepending '/' to make it absolute.")
file_path = '/' + file_path.lstrip('/')
# URL-encode the file
Nuclei
Java-springboot-codebase 1.1 - Arbitrary File Read
nuclei·CVSS 7.7
CVE-2025-46822 [HIGH] Java-springboot-codebase 1.1 - Arbitrary File Read
Java-springboot-codebase 1.1 - Arbitrary File Read
OsamaTaher/Java-springboot-codebase is a collection of Java and Spring Boot code snippets, applications, and projects. Prior to commit c835c6f7799eacada4c0fc77e0816f250af01ad2, insufficient path traversal mechanisms make absolute path traversal possible. This vulnerability allows unauthorized access to sensitive internal files. Commit c835c6f7799eacada4c0fc77e0816f250af01ad2 contains a patch for the issue.
Template:
id: CVE-2025-46822
info:
name: Java-springboot-codebase 1.1 - Arbitrary File Read
author: haliteroglu25
severity: high
description: |
OsamaTaher/Java-springboot-codebase is a collection of Java and Spring Boot code snippets, applications, and projects. Prior to commit c835c6f7799eacada4c0fc77e0816f250af01ad2, insufficient p
No writeups or analysis indexed.
2025-05-21
Published