Listen to this Post
The vulnerability CVE-2025-15449 exists in the `delete` function within the `MinioController.java` file of the `cld378632668/JavaMall` project up to commit 994f1e2b. The flaw is a classic path traversal (CWE-22) issue. The `objectName` argument, which is used to construct the file path for deletion, is not properly sanitized. An attacker can inject directory traversal sequences like `../` into this parameter. Because the application fails to neutralize these sequences, the file path can escape the intended restricted directory (the Minio bucket storage location). This allows a remote, authenticated attacker with low privileges to delete arbitrary files or objects on the system, impacting the integrity and availability of the data.
dailycve form:
Platform: JavaMall
Version: Rolling releases only
Vulnerability : Path traversal delete
Severity: Medium
date: 2026-01-05
Prediction: No official patch
What Undercode Say:
Analytics:
The vulnerability was submitted by user “zyhsec” to VulDB on 2025-12-23 and publicly disclosed on 2026-01-04 . The EPSS score is approximately 0.00045 to 0.00058, indicating a very low probability of exploitation in the wild at the time of analysis . The vulnerable code resides in a controller handling Minio storage operations.
Example: Search for the vulnerable file in a local clone
find /path/to/JavaMall -name "MinioController.java" -exec grep -Hn "delete.objectName" {} \;
Expected output location:
src/main/java/com/macro/mall/controller/MinioController.java
Check if the specific commit is before the fix (if a fix existed)
git log --oneline | grep "994f1e2b"
Exploit:
The exploit is simple and does not require complex tooling. An attacker would send a crafted DELETE request to the vulnerable endpoint, manipulating the `objectName` parameter to traverse directories.
DELETE /minio/delete?objectName=../../../../etc/passwd HTTP/1.1 Host: target.com Authorization: Bearer <valid_token> If the application stores files in /data/minio/uploads, this could delete /etc/passwd if the application has permissions.
Conceptual curl command to test for the vulnerability curl -X DELETE "http://target.com/minio/delete?objectName=../../../test.txt" -H "Authorization: Bearer VALID_TOKEN"
Protection from this CVE
As the vendor has not responded and no official patch is available, protection must be implemented defensively.
// Example of a fix in Java (MinioController.java)
import org.springframework.util.StringUtils;
import java.nio.file.Path;
import java.nio.file.Paths;
public ResponseEntity<?> delete(String objectName) {
// 1. Deny any objectName containing ".." or path separators
if (objectName.contains("..") || objectName.contains("/") || objectName.contains("\")) {
return ResponseEntity.badRequest().body("Invalid object name");
}
// 2. Alternatively, sanitize by getting the filename only
// Path sanitizedPath = Paths.get(objectName).getFileName();
// if (sanitizedPath == null) { return bad request; }
// String safeName = sanitizedPath.toString();
// 3. Ensure the final path is still within the intended bucket directory
// Path basePath = Paths.get("/safe/minio/bucket/");
// Path resolvedPath = basePath.resolve(safeName).normalize();
// if (!resolvedPath.startsWith(basePath)) {
// return ResponseEntity.badRequest().body("Access denied");
// }
// Proceed with deletion logic...
return ResponseEntity.ok("Deleted: " + safeName);
}
Impact:
Successful exploitation allows an authenticated attacker to delete arbitrary files on the server where the JavaMall application runs. This can lead to denial of service (by deleting critical application files), data loss (by deleting user data from storage), and potential system instability. The confidentiality of data is not directly compromised, but the integrity and availability are impacted .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

