CVE-2025-67845: Static Asset Escape — Path Traversal Exposure in Mintlify Platform

Aegiron 11 mins0

Vulnerability Summary

  • Vulnerability Name: Directory Traversal in Static Asset Proxy Endpoint
  • CVE ID: CVE-2025-67845
  • Severity: Medium
  • CVSS Score: Medium (NVD score pending at time of disclosure)
  • Exploitability: High
    • Network-accessible
    • Low attack complexity
    • Requires low-privilege authenticated access
    • No user interaction required
  • CWE Classification: CWE-24 – Path Traversal (../filedir)
  • Affected Product: Mintlify Platform
  • Affected Versions: All Mintlify platform versions released before November 15, 2025
  • Fixed Versions: Mintlify platform versions released on or after November 15, 2025

Overview

CVE-2025-67845 is a directory traversal vulnerability affecting the Static Asset Proxy Endpoint of the Mintlify platform. The issue allows low-privilege authenticated users to manipulate file paths via crafted URLs, enabling access to files and assets outside the intended directory boundaries.

Because static asset endpoints are typically trusted and widely accessible, this vulnerability presents a meaningful risk despite its medium severity classification.

Technical Root Cause

The Static Asset Proxy Endpoint dynamically resolves file paths using user-supplied input. The core issue lies in insufficient validation and canonicalization of those paths before file access occurs.

Key technical weaknesses include:

  • User-controlled path components were concatenated directly into filesystem paths
  • Path normalization was incomplete or inconsistent
  • Encoded traversal sequences were not fully decoded before validation
  • Double-encoded payloads bypassed initial security checks
  • Final resolved paths were not verified to remain within the allowed asset root

As a result, traversal sequences such as ../ or their encoded equivalents allowed attackers to move up the directory hierarchy and access unintended files.

Exploitation Mechanics

An attacker exploits this vulnerability by submitting crafted HTTP requests to the Static Asset Proxy Endpoint that include directory traversal payloads. The application resolves the supplied path and serves the requested file without confirming that it resides within an authorized directory.

This can lead to:

  • Reading files outside the static asset directory
  • Accessing other tenants’ static assets
  • Serving attacker-controlled HTML or SVG content
  • Client-side script execution when malicious assets are rendered

Because the endpoint is network-accessible and requires only low-privilege authentication, exploitation is straightforward and repeatable.

Attack Payload Techniques

Common traversal payload techniques observed or expected in exploitation attempts include:

Basic traversal

../../etc/passwd

Deep traversal

../../../../app/config/secrets.yml

URL-encoded traversal

..%2f..%2f..%2fetc%2fpasswd

Double-encoded traversal

..%252f..%252fcredentials.json

Windows-based traversal

..\..\windows\system32\drivers\etc\hosts

Attackers inject these payloads into static asset request paths handled by the proxy endpoint.

Conceptual Exploitation Examples

While no public exploit code is available yet due to the recent disclosure, the following requests illustrate how exploitation attempts may appear in logs or during internal testing:

Basic traversal request

GET /api/static-assets/../../etc/passwd HTTP/1.1
Host: mintlify-instance.example.com
Authorization: Bearer <low-privilege-token>

Encoded traversal

GET /api/static-assets/..%2f..%2f..%2fapp%2fconfig%2fdatabase.yml HTTP/1.1

Double-encoded bypass

GET /api/static-assets/..%252f..%252fsensitive%252fcredentials.json HTTP/1.1

Script injection via asset path

GET /api/static-assets/../../../inject/<script>alert(document.domain)</script> HTTP/1.1

MITRE ATT&CK Mapping

Exploitation of CVE-2025-67845 aligns with well-defined techniques in the MITRE ATT&CK framework. While the CVE represents a software flaw, attacker activity leveraging it follows common and documented adversary behaviors.

Relevant Techniques

Exploit Public-Facing Application (T1190)
The vulnerability exists in a network-accessible static asset endpoint. Attackers can exploit improper path handling by sending crafted HTTP requests to gain unauthorized access to internal files or assets.

Path Traversal (T1006)
Attackers manipulate file paths using traversal sequences such as ../ and encoded variants to bypass directory restrictions and access files outside the intended asset scope.

Data from Local System (T1005)
Successful exploitation allows attackers to read files directly from the server’s filesystem, including configuration files, environment data, or tenant-specific assets.

Unsecured Credentials (T1552) – Conditional
If sensitive configuration or environment files are exposed, plaintext credentials or tokens may be obtained as a secondary impact.

Indicators of Compromise (IOCs)

Request-Level IOCs

  • ../ or ..\
  • %2e%2e, %2f, %5c
  • %252e%252e, %252f
  • Repeated or nested traversal patterns
  • Absolute path references (/etc/, /proc/, C:\)

Log-Level IOCs

Suspicious log patterns include:

  • Asset endpoint requests followed by unexpected 200 OK responses
  • Attempts to access files such as:
    • .env
    • config.yml
    • secrets.json
    • /etc/passwd
    • /proc/self/environ
  • Sudden spikes in 403 or 404 responses followed by successful retrievals
  • Requests targeting other tenants’ asset paths

File System IOCs

  • Read access to configuration or credential files by the web application process
  • Unexpected file access outside the static asset directory
  • Delivery of HTML or SVG content from endpoints expected to serve only images

Behavioral IOCs

  • JavaScript execution originating from static asset URLs
  • Cross-tenant asset rendering
  • Unexpected client-side alerts, redirects, or DOM manipulation

Mitigation and Official Patch

Mintlify fixed this issue in platform releases dated November 15, 2025 and later.

Official Security Patch:
https://www.mintlify.com/blog/working-with-security-researchers-november-2025

Custom WAF and IDS Rules

The following rules are designed to detect and block traversal attempts against static asset endpoints. They should be tuned and tested in staging before production deployment.

1. ModSecurity (OWASP CRS-Compatible) Rule

Purpose: Block directory traversal attempts (raw and encoded) targeting static asset paths.

SecRule REQUEST_URI "@rx (?i)(\.\./|\.\.\\|%2e%2e|%2f|%5c|%252e%252e|%252f)" \
  "id:450001,\
  phase:1,\
  deny,\
  log,\
  msg:'Path traversal attempt detected in static asset request',\
  severity:CRITICAL"

Notes:

  • Case-insensitive matching
  • Covers single and double-encoded payloads
  • Suitable for /api/static-assets or similar endpoints

2. NGINX WAF (NAXSI) Rule

Purpose: Detect traversal sequences in request URIs and parameters.

MainRule "rx:(\.\./|\.\.\\|%2e%2e|%252e%252e)" \
  "msg:Path traversal attempt detected" \
  "id:450002" \
  "severity:5"

3. AWS WAFv2 Rule (Regex Pattern Set)

Regex Pattern:

(\.\./|\.\.\\|%2e%2e|%252e%252e|%2f|%5c)

Configuration:

  • Apply to URI path and query string
  • Action: Block or Count (initially Count for tuning)
  • Scope: Static asset endpoints only

4. Suricata IDS Rule

Purpose: Detect traversal attempts in HTTP requests to asset endpoints.

alert http any any -> any any (
  msg:"Path traversal attempt in static asset request";
  flow:to_server,established;
  http.uri;
  content:"../";
  nocase;
  pcre:"/(\.\.\/|%2e%2e|%252e%252e)/i";
  classtype:web-application-attack;
  sid:450003;
  rev:1;
)

5. Zeek (Bro) HTTP Detection Script

Purpose: Log traversal indicators for later investigation.

event http_request(c: connection, method: string, uri: string, version: string) {
  if ( uri =~ /(\.\.\/|%2e%2e|%252e%252e)/ ) {
    print fmt("Possible path traversal attempt: %s", uri);
  }
}

6. SIEM-Friendly Detection Logic (Generic)

Use Case: Hunting and alerting in Splunk, ELK, Datadog, etc.

Detection Logic:

  • HTTP requests to static asset endpoints
  • URI contains traversal patterns
  • Followed by HTTP 200 responses
  • Repeated attempts from same IP or token

Keywords to Monitor:

../
..%2f
..%5c
%2e%2e
%252e%252e

Defensive Measures and Operational Recommendations

  • Start WAF rules in detect-only mode to reduce false positives
  • Scope rules narrowly to static asset endpoints
  • Log all blocked requests for forensic review
  • Combine WAF blocking with log-based detection
  • Audit historical logs from pre-November 15, 2025

Final Takeaway

CVE-2025-67845 is a textbook directory traversal flaw, but its impact is amplified by its location in a static asset proxy. These endpoints are often overlooked, widely exposed, and implicitly trusted, making them attractive targets.

Organizations using Mintlify should confirm patch status immediately, deploy defensive controls, and review logs for historical exploitation attempts.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.