CVE-2025-8729

MEDIUM

MigoXLab LMeterX 1.2.0 - Path Traversal via Task ID Manipulation

Title source: llm

Description

A vulnerability has been found in MigoXLab LMeterX 1.2.0 and classified as critical. Affected by this vulnerability is the function process_cert_files of the file backend/service/upload_service.py. The manipulation of the argument task_id leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is f1b00597e293d09452aabd4fa57f3185207350e8. It is recommended to apply a patch to fix this issue.

References (7)

Core 7

Core References

Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.319225

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.319225

Exploit, Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.621741

Exploit, Issue Tracking, Patch issue-tracking

https://github.com/MigoXLab/LMeterX/issues/10

Exploit, Issue Tracking, Patch issue-tracking

https://github.com/MigoXLab/LMeterX/issues/10#issuecomment-3136380379

Exploit, Issue Tracking, Patch exploit issue-tracking

https://github.com/MigoXLab/LMeterX/issues/10#issue-3255375024

Patch patch

https://github.com/MigoXLab/LMeterX/commit/f1b00597e293d09452aabd4fa57f3185207350e8

View Patch ZIP pw:eip

Scores

CVSS v3 6.3

EPSS 0.0066

EPSS Percentile 46.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (1)

migoxlab/lmeterx 1.2.0

Published Aug 08, 2025

Tracked Since Feb 18, 2026