CVE-2025-8132 is a path traversal vulnerability identified in the ChanCMS content management system developed by yanyutao0402, affecting versions up to 3.1.2. The vulnerability exists in the delfile function located in the app/extend/utils.js file. Path traversal vulnerabilities allow an attacker to manipulate file paths to access files and directories outside the intended scope, potentially exposing sensitive information or enabling unauthorized file operations. In this case, the vulnerability can be exploited remotely without requiring user interaction, but it does require low-level privileges (PR:L) on the system. The CVSS 4.0 base score is 5.3, indicating a medium severity level. The vector string indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability at low levels (VC:N, VI:L, VA:L). The vulnerability does not affect system components but can lead to unauthorized file deletion or access, which could disrupt CMS operations or leak sensitive data. The vulnerability has been publicly disclosed, but no known exploits are currently observed in the wild. The vendor has released version 3.1.3 to address this issue, with a patch identified by commit c8a282bf02a62b59ec60b4699e91c51aff2ee9cd. Organizations using ChanCMS versions 3.1.0 through 3.1.2 should prioritize upgrading to the fixed version to mitigate risk.

For European organizations using ChanCMS, this vulnerability poses a risk of unauthorized file access or deletion, potentially leading to data breaches, service disruption, or defacement of websites managed by the CMS. Given that ChanCMS is a content management system, exploitation could result in exposure of sensitive content, configuration files, or user data, impacting confidentiality. Integrity could be compromised if attackers delete or modify files, affecting website functionality or trustworthiness. Availability impacts may arise from deletion of critical files causing downtime. Although the CVSS score is medium, the ease of remote exploitation without user interaction increases the risk profile. Organizations in sectors such as government, media, education, and e-commerce that rely on ChanCMS for web content management could face reputational damage and regulatory consequences under GDPR if personal data is exposed. The public disclosure of the vulnerability increases the likelihood of attempted exploitation, emphasizing the need for timely patching.

1. Immediate upgrade of ChanCMS installations to version 3.1.3 or later, which contains the official patch for CVE-2025-8132. 2. Implement strict input validation and sanitization on file path parameters within the CMS to prevent path traversal attempts. 3. Restrict file system permissions for the web server user to the minimum necessary, preventing access to sensitive directories outside the CMS root. 4. Employ web application firewalls (WAFs) with rules designed to detect and block path traversal patterns targeting the delfile function or similar endpoints. 5. Conduct regular security audits and code reviews focusing on file handling functions to identify and remediate similar vulnerabilities proactively. 6. Monitor logs for suspicious file access or deletion attempts, especially those involving unusual path patterns. 7. Educate system administrators and developers about secure coding practices related to file operations to prevent recurrence.