A critical vulnerability in YesWiki, tracked as CVE-2025-46348, allows unauthenticated attackers to create and download site backups containing sensitive data. The flaw, patched in version 4.5.4, exposes systems to potential data exfiltration and denial-of-service attacks through predictable archive filenames. This vulnerability carries a CVSS score of 10.0, indicating maximum severity1.
Technical Analysis of CVE-2025-46348
The vulnerability stems from insufficient access controls in YesWiki’s backup functionality. Attackers can trigger backup creation via crafted HTTP requests without authentication. The system generates archives with predictable filenames (e.g., timestamp-based patterns), enabling attackers to download them through direct requests. Each backup contains the complete wiki database, configuration files, and user data in uncompressed format2.
According to the GitHub Advisory database, this vulnerability shares characteristics with other critical flaws in YesWiki, including CVE-2025-46347 (arbitrary file write) and CVE-2025-31131 (path traversal). The backup feature was particularly dangerous because it didn’t implement rate limiting, allowing attackers to fill disk space through repeated requests3.
Impact and Exploitation Scenarios
Successful exploitation enables three primary attack vectors: sensitive data exposure through downloaded backups, denial-of-service via disk space exhaustion, and reconnaissance for follow-up attacks. The backups typically include database credentials, user sessions, and potentially password hashes depending on configuration.
Security researchers note this vulnerability was particularly dangerous in multi-tenant YesWiki installations, where a single compromised instance could expose data from multiple organizations. The predictable filename pattern made automated exploitation trivial, requiring only sequential requests to common backup directory locations4.
Detection and Mitigation
Organizations should immediately verify their YesWiki version and upgrade to 4.5.4 or later. For systems that cannot immediately patch, these temporary mitigations are recommended:
- Restrict access to /backups directory via web server configuration
- Implement IP-based access controls for backup functionality
- Monitor for unusual spikes in disk usage or backup file creation
The patch introduces authentication requirements for backup operations and implements cryptographically secure random filenames. Administrators should also review existing backup files for sensitive data exposure and rotate any compromised credentials5.
Broader Security Context
This vulnerability appears alongside other critical flaws in YesWiki, including stored XSS (CVE-2025-46346) and arbitrary PHP execution (CVE-2025-46347). The concentration of high-severity vulnerabilities suggests systemic security issues in the codebase that warrant thorough review beyond individual patches.
The NVD database shows YesWiki vulnerabilities have increased 40% year-over-year, mirroring trends in other PHP-based wiki systems. This incident underscores the importance of regular security audits for knowledge management platforms, which often handle sensitive organizational data6.
Conclusion
CVE-2025-46348 represents a severe risk to unpatched YesWiki installations due to its unauthenticated exploitation path and critical impact. Organizations using this software should prioritize patching and conduct post-remediation checks for signs of compromise. The broader pattern of vulnerabilities in YesWiki suggests administrators should consider additional security controls beyond version updates.
References
- “CVE-2025-46348 Detail,” NVD, 29 Apr. 2025. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2025-46348
- “YesWiki Security Advisory GHSA-59×8-cvxh-3mm4,” GitHub, 29 Apr. 2025. [Online]. Available: https://github.com/advisories/GHSA-59×8-cvxh-3mm4
- “CVE-2025-46347: Arbitrary File Write in YesWiki,” SecAlerts, 28 Apr. 2025. [Online]. Available: https://secalerts.co/vulnerability/CVE-2025-46347
- “CVE-2025-31131 Proof of Concept,” Exploit-DB, 15 Apr. 2025. [Online]. Available: https://www.exploit-db.com/exploits/52135
- “YesWiki 4.5.4 Changelog,” Official Repository, 29 Apr. 2025. [Online]. Available: https://github.com/YesWiki/yeswiki/releases/tag/v4.5.4
- “Critical Unauthenticated Access Vulnerability in YesWiki,” CVE Mitre, 29 Apr. 2025. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46348
