Plattform
php
Komponente
clipbucket-v5
Behoben in
5.5.2
CVE-2025-21622 describes a Path Traversal vulnerability discovered in ClipBucket, an open-source video hosting platform built with PHP. This flaw allows an attacker to delete files outside of the intended directory by manipulating the avatar upload URL. The vulnerability impacts ClipBucket versions 5.5.1 and earlier. A patch is available in version 5.5.1 - 237.
The core of this vulnerability lies in the avatar deletion functionality. When a user deletes their avatar, ClipBucket constructs a file path based on the user-provided avatar_url. Critically, the application fails to properly sanitize this input, allowing an attacker to inject path traversal sequences (e.g., ../..). This enables the attacker to specify a path outside the intended avatars directory, potentially leading to the deletion of sensitive system files, configuration files, or even core application components. The impact is significant, as successful exploitation could compromise the entire server and lead to data loss or complete system takeover. While the vulnerability requires authentication, the ease of exploitation makes it a high-priority concern.
CVE-2025-21622 was publicly disclosed on January 7, 2025. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation.
ClipBucket installations, particularly those running older versions (5.5.1 and below), are at risk. Shared hosting environments where multiple users share the same ClipBucket instance are especially vulnerable, as a compromised user account could be used to exploit the vulnerability and impact other users. Legacy configurations with permissive file upload settings also increase the risk.
• linux / server:
find /var/www/clipbucket/avatars -type f -name '*..*' 2>/dev/null # Check for files with suspicious names• generic web:
curl -I 'http://your-clipbucket-site.com/avatars/../../../../etc/passwd' # Attempt path traversaldisclosure
Exploit-Status
EPSS
1.27% (79% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-21622 is to immediately upgrade ClipBucket to version 5.5.1 - 237 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences in the avatar_url parameter. Specifically, look for patterns like ../ or absolute paths. Additionally, review and restrict file permissions within the avatars directory to minimize the potential damage from unauthorized file deletion. After upgrading, confirm the fix by attempting to delete an avatar with a crafted path traversal payload and verifying that the deletion fails with an appropriate error message.
Actualice ClipBucket a la versión 5.5.1 - 237 o superior. Esta versión corrige la vulnerabilidad de path traversal en la función de eliminación de avatares. La actualización evitará la eliminación de archivos fuera del directorio de avatares.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-21622 is a Path Traversal vulnerability in ClipBucket versions 5.5.1 and earlier, allowing attackers to delete files by manipulating the avatar upload URL.
You are affected if you are running ClipBucket version 5.5.1 or earlier. Upgrade to version 5.5.1 - 237 to resolve the issue.
Upgrade ClipBucket to version 5.5.1 - 237. As a temporary workaround, implement a WAF rule to block requests with path traversal sequences in the avatar URL.
As of January 2025, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the ClipBucket security advisories on their official website or GitHub repository for the latest information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.