Overview
CVE-2025-13564 identifies a medium-severity denial-of-service (DoS) vulnerability in SourceCodester Pre-School Management System version 1.0. This flaw allows a remote attacker to trigger a DoS condition by manipulating the filepath argument within the removefile function of the app/controllers/FilehelperController.php file. Exploit code is publicly available, increasing the risk of active exploitation.
Technical Details
The vulnerability resides within the removefile function of the FilehelperController.php script. Specifically, the application lacks sufficient validation and sanitization of the filepath argument before attempting file operations. By crafting a malicious filepath value, an attacker can potentially trigger an error condition or resource exhaustion, leading to a denial of service. The exact mechanism that leads to the DoS may vary but likely involves attempting to access or manipulate a non-existent or protected file, causing the application to become unresponsive.
Affected file: app/controllers/FilehelperController.php
Affected function: removefile
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13564 is 5.4 (Medium). This score reflects the following characteristics:
- Attack Vector (AV): Network (N) – The vulnerability can be exploited remotely over a network.
- Attack Complexity (AC): Low (L) – The conditions for exploitation are easily met.
- Privileges Required (PR): None (N) – No privileges are required to exploit the vulnerability.
- User Interaction (UI): None (N) – No user interaction is required.
- Scope (S): Unchanged (U) – An exploited vulnerability can only affect resources managed by the same security authority.
- Confidentiality Impact (C): None (N) – There is no impact to confidentiality.
- Integrity Impact (I): None (N) – There is no impact to data integrity.
- Availability Impact (A): Low (L) – There is a potential for a denial of service.
Possible Impact
A successful exploitation of this vulnerability can lead to a denial of service, rendering the Pre-School Management System unavailable to legitimate users. This can disrupt administrative tasks, student enrollment, and other critical functions of the system. The public availability of exploit code significantly increases the likelihood of real-world attacks.
Mitigation or Patch Steps
Currently, there is no official patch available from SourceCodester. Therefore, the following mitigation steps are recommended:
- Input Validation: Implement strict input validation and sanitization on the
filepathargument within theremovefilefunction. Ensure that the filepath conforms to expected patterns and is properly escaped. - Access Controls: Restrict access to the
removefilefunction to authorized users only. Implement authentication and authorization mechanisms to prevent unauthorized access. - Web Application Firewall (WAF): Deploy a Web Application Firewall (WAF) to detect and block malicious requests targeting this vulnerability. Configure the WAF with rules that identify and mitigate attempts to manipulate the
filepathparameter. - Monitor Logs: Monitor application logs for suspicious activity, such as unusual file access attempts or error messages related to the
removefilefunction. - Consider Alternative Software: If immediate mitigation is not possible, evaluate alternative Pre-School Management Systems with a stronger security posture.
