CVE-2025-15449

Name of the Vulnerable Software and Affected Versions JavaMall versions prior to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0

Description A path traversal issue exists due to manipulation of the objectName argument within the delete function located in the file src/main/java/com/macro/mall/controller/MinioController.java. This allows for remote exploitation. The product utilizes continuous delivery with rolling releases, making specific version details for affected and updated releases unavailable. The vendor was contacted regarding this disclosure but did not respond.

Recommendations Versions prior to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0 should be updated. As a temporary workaround, restrict access to the delete function in the MinioController.java file until a patch is available. Avoid using untrusted or user-supplied input for the objectName parameter in the affected API endpoint.