CVE-2025-8753 is a path traversal vulnerability identified in the linlinjava litemall application, affecting all versions up to and including 1.8.0. The vulnerability exists in the 'delete' function of the /admin/storage/delete endpoint within the File Handler component. Specifically, the issue arises from improper validation or sanitization of the 'key' argument, which an attacker can manipulate to traverse directories outside the intended file storage path. This allows an attacker to potentially delete arbitrary files on the server remotely without authentication. The vulnerability is remotely exploitable without user interaction or authentication, increasing the risk of unauthorized file deletion. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the moderate impact on confidentiality, integrity, and availability, with low attack complexity and no privileges or user interaction required. Although no public exploits have been observed in the wild yet, the exploit details have been disclosed publicly, which may lead to active exploitation attempts. The vulnerability could lead to partial denial of service or data loss if critical files are deleted, and could also be leveraged as part of a larger attack chain to compromise the system further.

For European organizations using linlinjava litemall versions up to 1.8.0, this vulnerability poses a risk of unauthorized file deletion, potentially disrupting e-commerce or business operations relying on the affected software. The ability to delete arbitrary files remotely without authentication can lead to loss of critical data, service outages, or compromise of system integrity. This could impact customer trust, lead to financial losses, and cause regulatory compliance issues under GDPR if personal data is affected. Organizations in sectors such as retail, logistics, or any business leveraging litemall for online storefronts are particularly at risk. The medium severity score indicates a moderate but tangible threat that should be addressed promptly to avoid exploitation, especially given the public disclosure of the vulnerability.

European organizations should immediately audit their litemall installations to determine if they are running affected versions (1.0 through 1.8.0). Since no official patches are referenced, organizations should consider the following mitigations: 1) Implement strict input validation and sanitization on the 'key' parameter in the /admin/storage/delete endpoint to prevent directory traversal sequences (e.g., '..', absolute paths). 2) Restrict access to the /admin/storage/delete endpoint via network controls such as IP whitelisting or VPN access to limit exposure. 3) Employ web application firewalls (WAFs) with rules to detect and block path traversal attempts targeting this endpoint. 4) Monitor logs for suspicious delete requests or unusual file deletion activities. 5) If possible, upgrade to a future patched version once available or apply vendor-provided patches promptly. 6) Conduct regular backups of critical data to enable recovery in case of file deletion. 7) Limit file system permissions for the application process to the minimum necessary to reduce impact of unauthorized deletions.