CVE-2025-9409 is a path traversal vulnerability identified in the lostvip-com ruoyi-go product, specifically affecting versions up to 2.1. The flaw resides in the DownloadTmp and DownloadUpload functions within the CommonController.go file of the modules/system/controller directory. The vulnerability arises from insufficient validation or sanitization of the 'fileName' argument, which can be manipulated by an attacker to traverse directories outside the intended file path. This allows unauthorized access to arbitrary files on the server's filesystem. The vulnerability is remotely exploitable without requiring user interaction or authentication, increasing its risk profile. The CVSS 4.0 base score is 5.3, indicating a medium severity level. The vendor was notified early but has not responded or issued a patch, and a public exploit has been released, although no widespread exploitation has been observed yet. The vulnerability impacts confidentiality by potentially exposing sensitive files, but does not directly affect integrity or availability. The attack complexity is low, and no privileges are needed, making it accessible to remote attackers. The scope is limited to systems running the affected versions of ruoyi-go, a framework used for rapid development of Java-based web applications, which may be deployed in various organizational environments.

For European organizations using ruoyi-go versions 2.0 or 2.1, this vulnerability poses a significant risk to data confidentiality. Attackers could access sensitive configuration files, credentials, or other critical data stored on the server, potentially leading to further compromise or data breaches. Given the remote exploitability without authentication, attackers could scan for vulnerable instances and extract information without insider access. This could impact sectors with high data sensitivity such as finance, healthcare, government, and critical infrastructure. The lack of vendor response and absence of patches increases the window of exposure. Although no known active exploitation is reported, the public availability of an exploit increases the likelihood of opportunistic attacks. Organizations relying on ruoyi-go for internal or external-facing applications should consider the risk of data leakage and potential compliance violations under GDPR if personal data is exposed.

Since no official patch is available, European organizations should implement immediate compensating controls. First, restrict access to the affected endpoints (DownloadTmp and DownloadUpload) via network-level controls such as firewalls or web application firewalls (WAF) with custom rules to detect and block path traversal patterns (e.g., '../'). Second, conduct thorough input validation and sanitization on the 'fileName' parameter at the application level to reject suspicious input. Third, implement strict access controls and least privilege principles on the file system to limit the impact of unauthorized file access. Fourth, monitor logs for unusual access patterns or attempts to exploit path traversal. Fifth, consider isolating or temporarily disabling the vulnerable functionality if feasible until a patch or vendor guidance is available. Finally, maintain an inventory of ruoyi-go deployments and upgrade to a patched version once released, or consider alternative frameworks if timely remediation is not possible.