CVE-2025-5380 is a path traversal vulnerability identified in the ashinigit 天青一白 XueShengZhuSu 学生住宿管理系统, a student accommodation management system. The vulnerability affects the component responsible for image file uploads, specifically the /upload/ endpoint. By manipulating the 'File' argument, an attacker can traverse directories on the server, potentially accessing files outside the intended upload directory. This can lead to unauthorized disclosure of sensitive files or system information. The vulnerability is remotely exploitable without requiring user interaction or authentication, increasing its risk profile. The product uses a rolling release model, so specific version numbers for affected or patched releases are not clearly defined beyond the commit hash 4d3f0ada0e71482c1e51fd5f5615e5a3d8bcbfbb. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, but with limited impact on confidentiality, integrity, and availability. No public exploits are currently known in the wild, but the vulnerability details have been disclosed publicly, which may facilitate exploitation attempts.

For European organizations using the XueShengZhuSu 学生住宿管理系统, this vulnerability poses a risk of unauthorized access to sensitive files on the server hosting the application. Given the system manages student accommodation data, exposure of personal data, administrative documents, or configuration files could lead to privacy breaches and compliance violations under GDPR. Attackers exploiting this flaw could gain insights into system internals, potentially enabling further attacks such as privilege escalation or data manipulation. Although the immediate impact on system integrity and availability is limited, the confidentiality breach alone is significant for institutions handling personal and academic data. The remote and unauthenticated nature of the exploit increases the urgency for mitigation, especially in environments with internet-facing upload endpoints.

Organizations should implement strict input validation and sanitization on the file upload parameters to prevent directory traversal sequences (e.g., ../). Employing allowlists for file names and extensions, and restricting upload directories with proper filesystem permissions can reduce risk. Using secure coding practices such as canonicalization of file paths before processing uploads is critical. Network-level controls like web application firewalls (WAFs) can be configured to detect and block path traversal patterns. Since the product uses rolling releases, organizations should monitor vendor updates closely and apply patches promptly once available. In the interim, restricting access to the upload endpoint via network segmentation or authentication can reduce exposure. Regular security audits and penetration testing focusing on file upload functionalities are recommended to detect similar vulnerabilities.