CVE-2025-13435: 
Java vulnerability analysis and mitigation

A security vulnerability has been identified in Dreampie Resty versions up to 1.3.1.SNAPSHOT. The vulnerability affects the Request function in the HttpClient Module (/resty-httpclient/src/main/java/cn/dreampie/client/HttpClient.java), where improper handling of the filename argument can lead to path traversal attacks. The vulnerability was disclosed on November 20, 2025 (Miggo, AttackerKB).

The vulnerability has been assigned a CVSS v3.1 base score of 5.6, indicating medium severity. The attack vector is network-accessible (AV:N) but requires high attack complexity (AC:H), with no privileges (PR:N) or user interaction (UI:N) needed. The vulnerability is classified under CWE-22 (Path Traversal). The issue stems from insufficient validation of the filename parameter in the HttpClient's Request function, allowing attackers to manipulate file paths (Miggo).

If successfully exploited, this vulnerability allows remote attackers to perform path traversal attacks, potentially gaining unauthorized access to read files from arbitrary locations on the file system where the application has access permissions (Miggo).

At the time of disclosure, no official patch has been released by the vendor. The vendor was contacted about this vulnerability but did not respond. Users are advised to monitor for updates and implement strict input validation for file operations as a temporary workaround (Miggo).