Summary
Authenticated arbitrary file deletion in YesWiki <= 4.4.5
It is possible for any authenticated user, through the use of the filemanager to delete any file owned by the user running the FastCGI Process Manager (FPM) on the host without any limitation on the filesystem's scope.
This Proof of Concept has been performed using the followings:
- YesWiki v4.4.5 (
doryphore-devbranch, latest) - Docker environnment (
docker/docker-compose.yml) - Docker v27.5.0
- Default installation
Details
The vulnerability makes use of the filemanager that allows a user to manage files that are attached to a resource when they have owner permission on it. This part of the code is managed in tools/attach/libs/attach.lib.php
public function doFileManager($isAction = false)
{
$do = (isset($_GET['do']) && $_GET['do']) ? $_GET['do'] : '';
switch ($do) {
case 'restore':
$this->fmRestore();
$this->fmShow(true, $isAction);
break;
case 'erase':
$this->fmErase();
$this->fmShow(true, $isAction);
break;
case 'del':
$this->fmDelete();
$this->fmShow(false, $isAction);
break;
case 'trash':
$this->fmShow(true, $isAction);
break;
case 'emptytrash':
$this->fmEmptyTrash(); //pas de break car apres un emptytrash => retour au gestionnaire
// no break
default:
$this->fmShow(false, $isAction);
}
}
The fmErase() function doesn't sanitize or verify the path that has been provided by the user in any way. Thus allowing a malicious user to specify any arbitrary file on the filesystem and having it deleted through the use of unlink() (as long as the user that runs the process has permission to delete it).
public function fmErase()
{
$path = $this->GetUploadPath();
$filename = $path . '/' . ($_GET['file'] ? $_GET['file'] : '');
if (file_exists($filename)) {
unlink($filename);
}
}
In addition to this deletion accross all the filesystem through fmErase(), it is also possible to delete any file attached to an existing wiki page, for instance, if user A creates a page and attaches images/documents to it, they always get uploaded to the files/ directory. If user B (malicious), knows the path of the files he can also arbitrarly delete them. (fmDelete() is also impacted by this case)
PoC
1. Environnement setup
The following actions have been performed as a privileged user
First, let's create one user (in addition to the WikiAdmin user):
Restrict the edition of 'PagePrincipale' wiki page to administrators only:
2. Upload of a file on a resource not owned by our user
The following actions have been performed as a privileged user
Second, let's upload a media to this PagePrincipale wiki page:
Then view it in the page's filemanager:
We can confirm that our file has been uploaded to the files/ directory by directly looking at the yeswiki container:
3. Arbitrary deletion (in files/)
The following actions have been performed using an unprivileged user
Now, get the full path/name of the media in the files directory by opening it in a new tab:
Afterwards, we need an instance of filemanager to be accessible to our user so we need to create a page that we own, here is used the agenda and the creation of a new event:
Call the erase method on the PagePrincipale's uploaded media:
The media is now deleted from PagePrincipale (the button is shown when the attached media doesn't exist, it's an intended behaviour):
It has also disappeared from the files/ directory:
This behaviour can be applied to any file under the files/ directory.
4. Arbitrary deletion (in /tmp/)
The following actions have been performed using a privileged access
Finally, using the same user as the process running the app, we create a file under the /tmp directory:
The following actions have been performed using an unprivileged user
We can once again call the erase method using a relative path:
The file isn't here anymore:
Suggestion of possible corrective measures
Restrict the possible paths of
fmErase()to theupload_pathdirectory.Restrict the use of
fmErase()to trashed files only.
public function fmErase()
{
$path = $this->GetUploadPath();
$filename = $this->GetUploadPath() . '/' . basename(realpath(($_GET['file'] ? $_GET['file'] : ''))); //Sanitize file path
if (file_exists($filename) && preg_match('/trash\d{14}$/', $filename)) { //Make sure that the filename ends with trash and a date
unlink($filename);
}
}
- Make sure that any request to
fmErase()orfmDelete()originates from the owner of the resource to which the attachment is linked (asks a bit more than a few lines of code).
Impact
This vulnerability allows any authenticated user to arbitrarly remove content from the Wiki resulting in partial loss of data and defacement/deteroriation of the website. In the context of a container installation of YesWiki without any modification, the 'yeswiki' files (for example .php) are not owned by the same user (root) as the one running the FPM process (www-data). However in a standard installation, www-data may also be the owner of the PHP files, allowing a malicious user to completely cut the access to the wiki by deleting all important PHP files (like index.php or core files of YesWiki).
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2025-24019 has a CVSS score of 7.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.5.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2025-24019? CVE-2025-24019 is a high-severity path traversal vulnerability in yeswiki/yeswiki (composer), affecting versions <= 4.4.5. It is fixed in 4.5.0. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
- How severe is CVE-2025-24019? CVE-2025-24019 has a CVSS score of 7.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of yeswiki/yeswiki are affected by CVE-2025-24019? yeswiki/yeswiki (composer) versions <= 4.4.5 is affected.
- Is there a fix for CVE-2025-24019? Yes. CVE-2025-24019 is fixed in 4.5.0. Upgrade to this version or later.
- Is CVE-2025-24019 exploitable, and should I be worried? Whether CVE-2025-24019 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-24019 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-24019? Upgrade
yeswiki/yeswikito 4.5.0 or later.