Platform
go
Component
github.com/flipped-aurora/gin-vue-admin
Fixed in
2.8.7
0.9.1-0.20251201084432-ee8d8d7e04d9
CVE-2025-66410 describes an arbitrary file deletion vulnerability discovered in gin-vue-admin, a Go-based admin panel. This flaw allows an attacker to delete files on the system, potentially leading to data loss or complete system compromise. The vulnerability affects versions before 0.9.1-0.20251201084432-ee8d8d7e04d9, and a patch has been released to address the issue.
The arbitrary file deletion vulnerability in gin-vue-admin poses a significant risk. An attacker who successfully exploits this flaw can delete critical system files, configuration files, or application data. This could lead to denial of service, data breaches, or even complete system takeover. The ability to delete files without proper authorization bypasses standard access controls, making it a particularly dangerous vulnerability. The impact is amplified if the application is deployed in a production environment with sensitive data or critical functionality.
CVE-2025-66410 was publicly disclosed on 2025-12-02. There is currently no indication of active exploitation in the wild, but the availability of arbitrary file deletion capabilities makes it a high-priority vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be easily exploited.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
The primary mitigation for CVE-2025-66410 is to immediately upgrade to version 0.9.1-0.20251201084432-ee8d8d7e04d9 or later. If upgrading is not immediately feasible, consider implementing strict file access controls and monitoring file system activity for suspicious deletions. Review and restrict file permissions to limit the scope of potential damage. Implement a Web Application Firewall (WAF) with rules to block requests attempting to access or delete files outside of designated directories. Regularly audit file system permissions and access logs to identify and address any misconfigurations.
Actualice gin-vue-admin a una versión posterior a la 2.8.6. Esto corrige la vulnerabilidad de eliminación arbitraria de archivos. Consulte el advisory de seguridad en GitHub para obtener más detalles sobre la actualización y las mitigaciones.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66410 is a vulnerability in gin-vue-admin that allows attackers to delete arbitrary files on the system, potentially leading to data loss or system compromise.
You are affected if you are using gin-vue-admin versions prior to 0.9.1-0.20251201084432-ee8d8d7e04d9.
Upgrade to version 0.9.1-0.20251201084432-ee8d8d7e04d9 or later. Implement file access controls and monitor file system activity as a temporary workaround.
There is currently no indication of active exploitation, but the vulnerability's nature makes it a high-priority concern.
Refer to the project's GitHub repository or official documentation for the latest advisory and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.