CVE-2025-15432 is a path traversal vulnerability identified in the yeqifu carRental software, specifically within the downloadShowFile function of the /file/downloadShowFile.action endpoint, part of the com.yeqifu.sys.controller.FileController component. The vulnerability arises from improper validation or sanitization of the 'path' parameter, which attackers can manipulate to traverse directories and access files outside the intended directory scope. This can lead to unauthorized disclosure of sensitive files on the server, potentially including configuration files, credentials, or other critical data. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The product's rolling release model means updates are continuously delivered, but no specific patched version is currently available, and the vendor has not responded to the vulnerability report. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction needed, and limited confidentiality impact, resulting in a medium severity rating. Although no active exploits have been observed in the wild, the public disclosure of the exploit code increases the risk of exploitation by threat actors.

The primary impact of this vulnerability is unauthorized access to sensitive files on the affected server, which can lead to information disclosure. Attackers could retrieve configuration files, source code, credentials, or other sensitive data, potentially enabling further attacks such as privilege escalation, lateral movement, or data exfiltration. For organizations relying on yeqifu carRental, this could compromise customer data privacy, intellectual property, and operational security. The lack of authentication requirement and ease of exploitation over the network increase the likelihood of attacks, especially in exposed environments. While the confidentiality impact is limited to file disclosure, the potential for chained attacks elevates the overall risk. The rolling release model and absence of vendor response complicate timely patching, prolonging exposure. This vulnerability could affect organizations in sectors using this software for vehicle rental management, including transportation, logistics, and car rental services, potentially leading to regulatory compliance issues and reputational damage.

Organizations should immediately implement input validation and sanitization controls on the 'path' parameter within the downloadShowFile function to prevent directory traversal sequences such as '../'. Until an official patch is released, consider deploying web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the vulnerable endpoint. Restrict access to the /file/downloadShowFile.action endpoint to trusted internal networks or authenticated users where possible. Conduct thorough file system permission audits to ensure the application runs with the least privilege necessary, limiting file access scope. Monitor logs for suspicious access patterns or attempts to exploit path traversal. Engage with the vendor for updates and patches, and track the rolling release updates closely to apply fixes promptly once available. If feasible, isolate the affected application environment to reduce exposure. Additionally, consider implementing runtime application self-protection (RASP) solutions that can detect and block exploitation attempts in real time.