A critical path traversal vulnerability (CVE-2025-31131) has been identified in YesWiki, a PHP-based wiki system, with a CVSS score of 8.6 (High). The flaw allows attackers to read arbitrary files on the server through improper handling of the squelette parameter. This vulnerability affects all versions prior to 4.5.2, which contains the patch.
Executive Summary for Security Leadership
The vulnerability represents a significant risk to organizations using YesWiki for knowledge management or collaborative documentation. Attackers can exploit this flaw without authentication to access sensitive server files including configuration files with database credentials. The technical nature of the exploit makes it particularly dangerous as it can be weaponized with minimal effort.
- Vulnerability Type: Path traversal via
squeletteparameter - Affected Versions: YesWiki < 4.5.2
- CVSS Score: 8.6 (High)
- Impact: Unauthenticated file read access
- Patch Available: YesWiki 4.5.2
Technical Analysis
The vulnerability stems from insufficient input validation when processing the squelette parameter in theme-related requests. Attackers can manipulate this parameter to traverse directories using standard path traversal sequences (../). The GitHub advisory1 provides specific details about the improper sanitization in file path handling.
A proof-of-concept URL demonstrates how an attacker could access the /etc/passwd file:
https://yeswiki.net/?UrkCEO/edit&theme=margot&squelette=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswdThis vulnerability is particularly concerning because it can expose critical configuration files such as wakka.config.php, which often contains database credentials and other sensitive information. The NVD entry2 confirms the attack vector and impact assessment.
Mitigation and Remediation
The primary mitigation is immediate upgrade to YesWiki 4.5.2. The patch commit3 shows the specific changes made to properly sanitize file paths. For organizations unable to upgrade immediately, temporary workarounds include:
- Implementing web server rules to block requests containing path traversal sequences
- Restricting file permissions on sensitive configuration files
- Monitoring for suspicious file access patterns in web server logs
Related Vulnerabilities
This vulnerability follows a pattern of security issues in YesWiki. Recent related vulnerabilities include:
| CVE | Type | Severity | Patched Version |
|---|---|---|---|
| CVE-2025-24019 | Directory Traversal | 7.1 (High) | 4.5.0 |
| CVE-2025-24018 | Stored XSS | 7.6 (High) | 4.5.0 |
The Snyk report4 provides additional context about these related vulnerabilities and their impact on YesWiki installations.
Conclusion
CVE-2025-31131 represents a serious security risk for organizations using vulnerable versions of YesWiki. The path traversal vulnerability can lead to complete system compromise if sensitive configuration files are exposed. Immediate action is recommended to either upgrade to the patched version or implement alternative mitigation measures.
Organizations should review their YesWiki installations and consider broader security implications, as this vulnerability follows similar patterns seen in other web applications. Regular vulnerability scanning and prompt patch application remain the most effective defenses against such threats.
References
- [1] “GitHub Advisory for CVE-2025-31131”, GitHub Security Advisory Database, 2025.
- [2] “NVD Entry for CVE-2025-31131”, National Vulnerability Database, 2025.
- [3] “Patch Commit for CVE-2025-31131”, YesWiki GitHub Repository, 2025.
- [4] “Snyk Report for CVE-2025-24019”, Snyk Vulnerability Database, 2025.
