CVE-2025-56815

Name of the Vulnerable Software and Affected Versions Datart version 1.0.0-rc.3

Description The software is susceptible to a Directory Traversal issue through an unrestricted file upload. The server utilizes MultipartFile.transferTo() to save uploaded files to a user-controllable path without sufficient filename validation. This allows for potential manipulation of the file save location. The vulnerable API endpoint is /viz/image using the POST method. The MultipartFile object is used in the process.

Recommendations Apply strict validation to the filename before saving the uploaded file to prevent directory traversal.