CVE-2025-13435: Resty has a Path Traversal vulnerability

November 20, 2025

A security vulnerability has been detected in Dreampie Resty versions up to the 1.3.1.SNAPSHOT. This affects the function Request of the file /resty-httpclient/src/main/java/cn/dreampie/client/HttpClient.java of the component HttpClient Module. Such manipulation of the argument filename leads to path traversal. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

github.com/Dreampie/resty
github.com/Xzzz111/exps/blob/main/archives/Resty-PathTraversal-01/cve_application.md
github.com/advisories/GHSA-cv3m-hxpc-4hvm
nvd.nist.gov/vuln/detail/CVE-2025-13435
vuldb.com/?ctiid.332979
vuldb.com/?id.332979
vuldb.com/?submit.687603

Code Behaviors & Features

Detect and mitigate CVE-2025-13435 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →