CVE-2022-39305
CRITICALgin-vue-admin < 2.5.4b - Arbitrary File Read via Unvalidated fileMd5 and fileName Parameters
Title source: llmDescription
Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. Versions prior to 2.5.4 contain a file upload ability. The affected code fails to validate fileMd5 and fileName parameters, resulting in an arbitrary file being read. This issue is patched in 2.5.4b. There are no known workarounds.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://github.com/flipped-aurora/gin-vue-admin/blob/main/server/utils/breakpoint_continue.go
Exploit, Patch, Third Party Advisory
https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-wrmq-4v4c-gxp2
Scores
CVSS v3
9.8
EPSS
0.0106
EPSS Percentile
60.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (1)
gin-vue-admin_project/gin-vue-admin
< 2.5.4b
Published
Oct 24, 2022
Tracked Since
Feb 18, 2026