CVE-2025-9650 MEDIUM

CVE-2025-9650: yeqifu carRental AppFileUtils.java removeFileByPath path traversal

Vendor Yeqifu

Product carRental

Weakness CWE-22 · Path traversal

Published August 29, 2025

Last update August 29, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A vulnerability has been found in yeqifu carRental up to 3fabb7eae93d209426638863980301d6f99866b3. This affects the function removeFileByPath of the file src/main/java/com/yeqifu/sys/utils/AppFileUtils.java. The manipulation of the argument carimg leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. This product adopts a rolling release strategy to maintain continuous delivery

Key dates

Disclosure timeline

August 29, 2025 CVE published

August 29, 2025 Record updated

Identifiers

CVE CVE-2025-9650

CWE CWE-22

CVSS 5.3 / MEDIUM

Affected versions

Vendor Yeqifu

Product carRental

Affected 3fabb7eae93d209426638863980301d6f99866b3