CVE-2025-67845 is a directory traversal vulnerability classified under CWE-24 that affects the Mintlify Platform, specifically its Static Asset Proxy Endpoint. This flaw allows remote attackers with limited privileges to manipulate URL parameters containing path traversal sequences (e.g., '../filedir') to access unauthorized files or inject arbitrary web scripts or HTML content. The vulnerability arises because the endpoint insufficiently sanitizes or validates input paths, enabling attackers to traverse directories outside the intended asset directory. This can lead to unauthorized disclosure of sensitive files or injection of malicious content that may be rendered in users' browsers, potentially facilitating further attacks such as cross-site scripting (XSS) or information leakage. The vulnerability affects Mintlify Platform versions prior to the patch date of 2025-11-15. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and a scope change (S:C) with low confidentiality and integrity impacts (C:L/I:L) and no availability impact (A:N). No public exploits are known at this time, but the vulnerability's characteristics suggest it could be exploited in targeted attacks. The directory traversal can be leveraged to bypass access controls and inject malicious scripts, potentially compromising the confidentiality and integrity of affected systems and data.

For European organizations, especially those relying on the Mintlify Platform for documentation or developer tools, this vulnerability could lead to unauthorized access to sensitive files or injection of malicious content into web assets. This may result in partial data leakage, defacement, or the facilitation of further attacks such as XSS, which can compromise user sessions or credentials. The impact is particularly relevant for organizations handling sensitive intellectual property or customer data within their documentation or static assets. Since the vulnerability requires limited privileges but no user interaction, insider threats or compromised accounts could exploit this flaw to escalate attacks. The medium severity indicates a moderate risk, but the scope change means that the vulnerability could affect multiple components or users once exploited. Disruption of service is unlikely, but reputational damage and compliance risks (e.g., GDPR) due to data exposure are concerns. Organizations in sectors such as finance, technology, and government in Europe should be vigilant, as attackers may target these high-value entities.

Organizations should immediately update the Mintlify Platform to the patched version released after 2025-11-15. In the absence of a patch, implement strict input validation and sanitization on all URL parameters to prevent path traversal sequences. Employ allowlisting of acceptable file paths and reject any input containing '../' or similar traversal patterns. Restrict access to the Static Asset Proxy Endpoint to trusted users and networks where possible, and enforce the principle of least privilege to limit the impact of compromised accounts. Conduct thorough code reviews and penetration testing focused on directory traversal and injection vulnerabilities. Monitor logs for suspicious access patterns or attempts to exploit path traversal. Additionally, implement Content Security Policy (CSP) headers to mitigate the impact of any injected scripts. Educate developers and administrators about secure coding practices related to file path handling. Finally, maintain an incident response plan to quickly address any exploitation attempts.