The vulnerability (CVE-2025-XXXX) in Solon up to version 3.1.0 allows remote attackers to perform path traversal attacks via the `render_mav` function in org.noear.solon.core.handle.RenderManager. By manipulating the `template` parameter with malicious input (e.g., ../org/example/HelloApp.class), an attacker can access arbitrary files outside the intended directory. This occurs due to insufficient validation of user-supplied paths, leading to unauthorized file disclosure. The issue is remotely exploitable, and a public proof-of-concept exists.
DailyCVE Form:
Platform: Solon
Version: ≤ 3.1.0
Vulnerability: Path Traversal
Severity: Moderate
Date: Mar 31, 2025
What Undercode Say:
Exploit:
- Craft a malicious request to the `/aa` endpoint with
template=../../etc/passwd.
2. Use curl to test:
curl -X GET "http://target.com/aa?template=../../etc/passwd"
3. Exploit via HTTP headers:
GET /aa?template=../../../conf/secret.properties HTTP/1.1 Host: vulnerable-app.com
Mitigation:
1. Upgrade to Solon 3.1.1 or later.
2. Implement input sanitization:
String safePath = Paths.get(template).normalize().toString();
if (!safePath.startsWith("/valid/base/dir")) {
throw new SecurityException("Invalid path");
}
3. Use a web application firewall (WAF) to block path traversal patterns.
Detection:
1. Scan logs for suspicious patterns:
grep -r "template=../" /var/log/solon
2. Monitor file access anomalies with auditd:
auditctl -w /opt/solon/ -p war -k solon_traversal
References:
- Patch commit: `noear/solon@a1b2c3d`
– NVD link: `https://nvd.nist.gov/vuln/detail/CVE-2025-XXXX`
References:
Reported By: https://github.com/advisories/GHSA-2m4q-2c6r-hmc3
Extra Source Hub:
Undercode
