CVE-2025-8753 is a path traversal vulnerability identified in the linlinjava litemall application, specifically affecting versions up to 1.8.0. The vulnerability resides in the 'delete' function of the /admin/storage/delete endpoint within the File Handler component. An attacker can manipulate the 'key' argument to traverse directories outside the intended file storage path. This allows unauthorized access to arbitrary files on the server's filesystem, potentially leading to information disclosure or unauthorized file deletion. The vulnerability can be exploited remotely without requiring user interaction, but it does require low-level privileges (PR:L) on the system. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no user interaction, and limited impact on confidentiality and availability. Although no public exploits are currently known in the wild, the exploit details have been disclosed publicly, increasing the risk of exploitation. The lack of authentication bypass means that an attacker must have some level of privilege, but the vulnerability still poses a significant risk to affected installations. Given that litemall is an e-commerce platform, exploitation could lead to unauthorized file access or deletion, potentially disrupting business operations or exposing sensitive data.

For European organizations using linlinjava litemall versions up to 1.8.0, this vulnerability could lead to unauthorized access to sensitive files or deletion of critical data, impacting confidentiality and availability. E-commerce platforms are often targeted due to the sensitive customer and transaction data they handle. Exploitation could result in data breaches, loss of customer trust, regulatory non-compliance (e.g., GDPR violations), and operational downtime. The medium severity rating suggests a moderate risk, but the potential for lateral movement or privilege escalation after initial exploitation could amplify the impact. Organizations relying on litemall for online sales or inventory management may face disruption, financial loss, and reputational damage if this vulnerability is exploited. Additionally, given the remote exploitability and low complexity, attackers could automate attacks against exposed endpoints, increasing the threat surface.

To mitigate this vulnerability, organizations should immediately upgrade litemall to a version where this issue is patched once available. In the absence of an official patch, implement strict input validation and sanitization on the 'key' parameter to prevent directory traversal sequences (e.g., '../'). Employ web application firewalls (WAFs) with rules designed to detect and block path traversal attempts targeting the /admin/storage/delete endpoint. Restrict access to the administrative interface by IP whitelisting or VPN to reduce exposure. Ensure that file system permissions are properly configured to limit the damage from unauthorized file access or deletion, such as running the application with the least privileges necessary and isolating critical files. Regularly audit logs for suspicious activity related to file deletion or access attempts. Finally, conduct penetration testing focused on path traversal to verify the effectiveness of mitigations.