CVE-2025-9650 is a path traversal vulnerability identified in the yeqifu carRental application, specifically affecting versions up to commit 3fabb7eae93d209426638863980301d6f99866b3. The flaw exists in the removeFileByPath function located in src/main/java/com/yeqifu/sys/utils/AppFileUtils.java. The vulnerability arises from improper validation or sanitization of the 'carimg' argument, which an attacker can manipulate to traverse directories on the server's filesystem. This allows an attacker to potentially delete arbitrary files by specifying crafted file paths that escape the intended directory boundaries. The vulnerability is remotely exploitable without requiring user interaction, but it does require some level of privileges (PR:L) on the system, indicating that the attacker must have limited privileges to invoke the vulnerable function. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the moderate impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction needed. The vulnerability has been publicly disclosed, but no known exploits are currently observed in the wild. The product uses a rolling release strategy, which may facilitate timely patching once a fix is available. However, no patch links have been provided yet. The vulnerability could allow attackers to delete critical files, potentially disrupting service availability or causing data loss. Since the vulnerability affects a utility function that deletes files based on user input, exploitation could lead to significant integrity and availability impacts if sensitive or system files are targeted.

For European organizations using yeqifu carRental software, this vulnerability poses a risk of unauthorized file deletion, which can disrupt business operations, cause data loss, and degrade service availability. Organizations in the car rental and fleet management sectors relying on this software could face operational downtime or reputational damage if attackers exploit this flaw to delete critical files or configuration data. The moderate severity suggests that while the vulnerability is not trivially exploitable by unauthenticated attackers, it still presents a tangible risk, especially in environments where attackers have limited access or user privileges. Given the remote exploitability, attackers could leverage this vulnerability to escalate their impact within compromised networks. The lack of known exploits in the wild currently reduces immediate risk, but public disclosure increases the likelihood of future exploitation attempts. European organizations should be vigilant, especially those with integrated carRental systems in their IT infrastructure, as disruption to these systems could affect customer service and compliance with data protection regulations if data integrity is compromised.

1. Immediate mitigation should include restricting access to the vulnerable removeFileByPath function to trusted and authenticated users only, minimizing the risk of unauthorized invocation. 2. Implement strict input validation and sanitization on the 'carimg' parameter to ensure that path traversal sequences (e.g., '../') are detected and blocked. 3. Employ a whitelist approach for file paths or filenames allowed for deletion, limiting operations strictly to intended directories. 4. Monitor and audit file deletion operations and logs for suspicious activity indicative of exploitation attempts. 5. Isolate the application environment using containerization or sandboxing to limit the impact of potential file deletions. 6. Since the product uses a rolling release strategy, prioritize updating to the latest version once a patch addressing this vulnerability is released. 7. As a temporary workaround, consider implementing file system permissions that prevent the application user from deleting critical system or configuration files outside the intended directory. 8. Educate system administrators and security teams about this vulnerability to ensure timely detection and response to any exploitation attempts.