6.6.7
CVE-2025-50202 describes a Path Traversal vulnerability discovered in Lychee, a free photo-management tool. This vulnerability allows attackers to potentially leak sensitive files from the server, including configuration secrets and user-uploaded images. The vulnerability affects versions 6.6.6 through 6.6.9 and has been resolved in version 6.6.10.
The primary impact of CVE-2025-50202 is the potential for unauthorized disclosure of sensitive information. An attacker exploiting this vulnerability could read arbitrary files on the server, bypassing intended access controls. This includes environment variables, which may contain database passwords or API keys, nginx logs which could contain user data, and other user-uploaded images. Successful exploitation could lead to data breaches, compromise of system credentials, and potential lateral movement within the network if exposed credentials are used to access other systems. The ability to access user-uploaded images also raises privacy concerns.
CVE-2025-50202 was publicly disclosed on 2025-06-18. There are currently no known public proof-of-concept exploits available, but the ease of path traversal exploitation suggests a potential for rapid development of such exploits. The vulnerability is not currently listed on the CISA KEV catalog. The vulnerability's impact is amplified by the potential for sensitive data exposure, making it a high-priority concern for Lychee users.
Self-hosted Lychee installations are particularly at risk, especially those running older, unpatched versions. Shared hosting environments where multiple users share the same Lychee instance are also vulnerable, as a compromise of one user's account could potentially lead to the exposure of data belonging to other users. Administrators who have not implemented robust file access controls are also at increased risk.
• linux / server: Monitor Lychee logs (typically located in /var/log/lychee/) for unusual file access patterns or attempts to access files outside of the intended directories. Use journalctl -u lychee to review Lychee-related system logs.
• generic web: Use curl to probe for potentially accessible files using path traversal sequences (e.g., curl 'http://your-lychee-instance/../../../../etc/passwd').
• generic web: Examine access logs for requests containing ../ sequences, which are indicative of path traversal attempts.
disclosure
Exploit-Status
EPSS
0.12% (31% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-50202 is to upgrade Lychee to version 6.6.10 or later. If an immediate upgrade is not possible due to compatibility issues or downtime constraints, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement for path traversal, restricting access to the /securepathcontroller.php endpoint or implementing strict input validation on any parameters passed to it can offer some limited protection. Regularly review and audit Lychee’s configuration files for any exposed secrets. After upgrading, confirm the fix by attempting to access files outside the intended directory through the /securepathcontroller.php endpoint; access should be denied.
Actualice Lychee a la versión 6.6.10 o superior. Esta versión contiene una corrección para la vulnerabilidad de path traversal. La actualización se puede realizar a través del panel de administración de Lychee o descargando la última versión del software y reemplazando los archivos existentes.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-50202 is a Path Traversal vulnerability affecting Lychee photo-management tool versions 6.6.6 through 6.6.9, allowing attackers to potentially leak sensitive files.
You are affected if you are running Lychee version 6.6.6 or later, but before version 6.6.10. Check your Lychee version and upgrade immediately if vulnerable.
Upgrade Lychee to version 6.6.10 or later to patch the vulnerability. If immediate upgrade is not possible, implement temporary workarounds like restricting file access permissions.
While no public exploits are currently known, the ease of exploitation suggests a potential for rapid exploitation. Monitor your systems closely.
Refer to the official Lychee security advisory on their website or GitHub repository for the latest information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.