CVE-2025-49448: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Fastw3b LLC FW Food Menu
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Food Menu allows Path Traversal. This issue affects FW Food Menu : from n/a through 6.0.0.
AI Analysis
Technical Summary
CVE-2025-49448 is a high-severity path traversal vulnerability (CWE-22) affecting the FW Food Menu software developed by Fastw3b LLC. This vulnerability allows an attacker to manipulate file path inputs to access files and directories outside the intended restricted directory. The flaw arises from improper limitation of pathname inputs, enabling traversal sequences such as '../' to escape the designated directory boundaries. The vulnerability affects FW Food Menu versions up to 6.0.0, with no specific lower bound version identified. The CVSS 3.1 base score is 8.6, indicating a high severity with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H. This means the vulnerability is remotely exploitable over the network without any privileges or user interaction, and it results in a complete scope change with a high impact on availability but no impact on confidentiality or integrity. The primary impact is denial of service or disruption of service availability, potentially by accessing or deleting critical files or causing application crashes. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on June 27, 2025, and reserved earlier that month. The path traversal issue could allow attackers to interfere with the normal operation of the FW Food Menu application by accessing or manipulating files outside the intended directories, which could lead to service outages or application failures.
Potential Impact
For European organizations using FW Food Menu, particularly those in the hospitality and food service sectors, this vulnerability poses a significant risk to service availability. Exploitation could lead to denial of service conditions, disrupting online menu services, ordering systems, or other critical functionalities dependent on FW Food Menu. This disruption could affect customer experience, lead to financial losses, and damage reputation. Since the vulnerability does not impact confidentiality or integrity directly, data breaches or unauthorized data modifications are less likely. However, the availability impact alone can be critical for businesses relying on continuous online presence. Additionally, the vulnerability being remotely exploitable without authentication increases the risk of widespread attacks if the software is exposed to the internet. European organizations with public-facing FW Food Menu installations are particularly vulnerable to such attacks, which could be leveraged by threat actors to cause operational disruptions or as part of larger attack campaigns.
Mitigation Recommendations
Organizations should immediately audit their use of FW Food Menu software to identify affected versions (up to 6.0.0). Since no patches are currently linked, temporary mitigations include restricting network access to the FW Food Menu application, especially from untrusted networks, using firewalls or network segmentation to limit exposure. Input validation and sanitization should be enforced at the application or web server level to prevent path traversal sequences from being processed. Web application firewalls (WAFs) can be configured to detect and block path traversal attempts. Monitoring logs for unusual file access patterns or errors related to file handling can provide early detection of exploitation attempts. Organizations should engage with Fastw3b LLC for updates on patches or security advisories and plan for prompt application of any released fixes. Additionally, implementing robust backup and recovery procedures will help mitigate the impact of potential availability disruptions caused by exploitation.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden
CVE-2025-49448: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Fastw3b LLC FW Food Menu
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Food Menu allows Path Traversal. This issue affects FW Food Menu : from n/a through 6.0.0.
AI-Powered Analysis
Technical Analysis
CVE-2025-49448 is a high-severity path traversal vulnerability (CWE-22) affecting the FW Food Menu software developed by Fastw3b LLC. This vulnerability allows an attacker to manipulate file path inputs to access files and directories outside the intended restricted directory. The flaw arises from improper limitation of pathname inputs, enabling traversal sequences such as '../' to escape the designated directory boundaries. The vulnerability affects FW Food Menu versions up to 6.0.0, with no specific lower bound version identified. The CVSS 3.1 base score is 8.6, indicating a high severity with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H. This means the vulnerability is remotely exploitable over the network without any privileges or user interaction, and it results in a complete scope change with a high impact on availability but no impact on confidentiality or integrity. The primary impact is denial of service or disruption of service availability, potentially by accessing or deleting critical files or causing application crashes. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on June 27, 2025, and reserved earlier that month. The path traversal issue could allow attackers to interfere with the normal operation of the FW Food Menu application by accessing or manipulating files outside the intended directories, which could lead to service outages or application failures.
Potential Impact
For European organizations using FW Food Menu, particularly those in the hospitality and food service sectors, this vulnerability poses a significant risk to service availability. Exploitation could lead to denial of service conditions, disrupting online menu services, ordering systems, or other critical functionalities dependent on FW Food Menu. This disruption could affect customer experience, lead to financial losses, and damage reputation. Since the vulnerability does not impact confidentiality or integrity directly, data breaches or unauthorized data modifications are less likely. However, the availability impact alone can be critical for businesses relying on continuous online presence. Additionally, the vulnerability being remotely exploitable without authentication increases the risk of widespread attacks if the software is exposed to the internet. European organizations with public-facing FW Food Menu installations are particularly vulnerable to such attacks, which could be leveraged by threat actors to cause operational disruptions or as part of larger attack campaigns.
Mitigation Recommendations
Organizations should immediately audit their use of FW Food Menu software to identify affected versions (up to 6.0.0). Since no patches are currently linked, temporary mitigations include restricting network access to the FW Food Menu application, especially from untrusted networks, using firewalls or network segmentation to limit exposure. Input validation and sanitization should be enforced at the application or web server level to prevent path traversal sequences from being processed. Web application firewalls (WAFs) can be configured to detect and block path traversal attempts. Monitoring logs for unusual file access patterns or errors related to file handling can provide early detection of exploitation attempts. Organizations should engage with Fastw3b LLC for updates on patches or security advisories and plan for prompt application of any released fixes. Additionally, implementing robust backup and recovery procedures will help mitigate the impact of potential availability disruptions caused by exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-06-04T15:44:57.576Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 685e88eeca1063fb875de4ea
Added to database: 6/27/2025, 12:05:02 PM
Last enriched: 6/27/2025, 12:31:05 PM
Last updated: 8/15/2025, 4:59:03 AM
Views: 9
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.