关键漏洞信息 CVE Identifier: CVE-2025-66905 Vulnerability Type: Directory Traversal / Arbitrary File Read Affected Product: takes (org.takes) Affected Component: TkFiles (src/main/java/org/takes/tk/TkFiles.java) Impact: High - unauthenticated disclosure of arbitrary files Status: Unfixed as of commit 5e1ef1e0343dcdb25ac050ce74dd68b65bae3f96a (2.0-SNAPSHOT) Summary TkFiles in the Takes web framework directly concatenates the HTTP request path onto the configured base directory without canonicalization or traversal checks, allowing an attacker to read arbitrary files on the host. Technical Details 1. File paths are resolved with without canonicalization. 2. Traversal sequences like are not prevented. 3. The base directory is preserved even if the second argument starts with . 4. Only checks before streaming the file. Proof of Concept Demonstrates arbitrary file disclosure. Impact Assessment Attack Surface: Remote, unauthenticated HTTP clients Confidentiality: Full compromise of readable files Integrity: Not directly affected Availability: Not impacted Root Cause Lack of canonicalization or traversal validation in . Suggested Mitigations Normalize file paths. Reject paths containing , backslashes, or absolute path prefixes. Add regression tests.