Plattform
other
Komponente
convertx
Behoben in
0.16.1
CVE-2025-66449 describes a Path Traversal vulnerability discovered in ConvertX, a self-hosted online file converter. This flaw allows authenticated users to write arbitrary files to the system, potentially overwriting critical binaries and leading to code execution. The vulnerability impacts versions of ConvertX prior to 0.16.0, and a patch has been released to address the issue.
The impact of this vulnerability is severe. An attacker, after authenticating to the ConvertX system, can leverage the /upload endpoint to upload files with arbitrary names. Because the application does not properly sanitize the filename provided by the user, an attacker can craft filenames that include path traversal sequences (e.g., ../../../../etc/passwd). This allows them to overwrite system binaries, such as sshd or other critical services, with malicious versions. Successful exploitation grants the attacker complete control over the affected server, enabling them to execute arbitrary code, steal sensitive data, and potentially pivot to other systems on the network. The ability to overwrite binaries represents a significant escalation of privileges and a high degree of system compromise.
This vulnerability has been publicly disclosed and a patch is available. There is currently no indication of active exploitation campaigns targeting ConvertX. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Public proof-of-concept exploits are likely to emerge given the ease of exploitation once the vulnerability was disclosed.
Organizations running self-hosted instances of ConvertX, particularly those with limited security controls or legacy configurations, are at significant risk. Shared hosting environments where multiple users share the same server instance are also vulnerable, as a compromised user account could potentially impact other users on the same server.
• linux / server:
find /var/www/convertx -name '*convertx*' -type f -mtime +7 -print # Look for recently modified ConvertX files
journalctl -u convertx -f # Monitor ConvertX logs for suspicious upload activity• generic web:
curl -I 'http://your-convertx-server.com/upload?file.name=../../../../etc/passwd' # Attempt path traversaldisclosure
Exploit-Status
EPSS
0.13% (32% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-66449 is to immediately upgrade ConvertX to version 0.16.0 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restricting file uploads to specific, known file types and locations can limit the potential for path traversal. Implementing strict input validation on the file.name parameter, rejecting any filenames containing path traversal sequences, is crucial. Consider using a Web Application Firewall (WAF) with rules to block requests containing suspicious filenames or paths. Regularly review and audit file upload processes to identify and address any potential vulnerabilities.
Actualice ConvertX a la versión 0.16.0 o superior. Esta versión contiene una corrección para la vulnerabilidad de path traversal que permite la escritura arbitraria de archivos y la ejecución de código. La actualización evitará que un atacante sobrescriba archivos del sistema y ejecute código malicioso.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-66449 is a Path Traversal vulnerability in ConvertX versions prior to 0.16.0, allowing authenticated users to write arbitrary files and potentially achieve code execution.
You are affected if you are running ConvertX version 0.16.0 or earlier. Check your version and upgrade immediately.
Upgrade ConvertX to version 0.16.0 or later. As a temporary workaround, restrict file upload permissions and implement WAF rules.
There is currently no evidence of active exploitation, but the vulnerability's severity warrants immediate attention and remediation.
Refer to the ConvertX project's official website or GitHub repository for the latest security advisories and release notes.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.