Platform
other
Component
crystal-live-http-server
CVE-2019-25352 describes a directory traversal vulnerability present in Crystal Live HTTP Server versions 6.01–6.01. This flaw allows remote attackers to navigate outside the intended web root by manipulating URL path segments, potentially leading to unauthorized access to sensitive system files. The vulnerability was published on 2026-02-18 and a fix is recommended to address the risk.
The directory traversal vulnerability in Crystal Live HTTP Server allows an attacker to bypass access controls and retrieve arbitrary files from the server. By injecting malicious '../' sequences into URL requests, an attacker can traverse the file system hierarchy and access files outside the web root. This could include sensitive configuration files, system files, or even source code, depending on the server's configuration and permissions. Successful exploitation could lead to information disclosure, privilege escalation, and potentially even remote code execution if the attacker can leverage the accessed files to compromise the system further. The impact is amplified if the server is used to host sensitive data or is part of a critical infrastructure.
The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the ease of exploitation associated with path traversal vulnerabilities suggests a potential for future exploitation. The vulnerability's severity and potential impact warrant proactive mitigation efforts.
Exploit Status
EPSS
0.46% (64% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2019-25352 is to upgrade to a patched version of Crystal Live HTTP Server. Since a fixed version is not explicitly mentioned, consider isolating the vulnerable server and restricting access to trusted networks. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious '../' sequences. Regularly review and harden server configurations to minimize the potential impact of this vulnerability. Monitor access logs for unusual file access patterns that might indicate exploitation attempts.
Update to a patched version of Crystal Live HTTP Server that addresses the path traversal vulnerability. If no version is available, consider disabling the service or implementing additional security measures, such as restricting access to sensitive files and validating URL inputs.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25352 is a vulnerability allowing attackers to access files outside the intended web root in Crystal Live HTTP Server 6.01–6.01 by manipulating URL paths.
If you are running Crystal Live HTTP Server version 6.01–6.01, you are potentially affected by this vulnerability. Upgrade is the recommended solution.
Upgrade to a patched version of Crystal Live HTTP Server. If a patch is unavailable, implement WAF rules and restrict access to the server.
While no widespread exploitation has been confirmed, the ease of exploitation suggests a potential for future attacks. Proactive mitigation is recommended.
Official advisories may be available on the Crystal Live HTTP Server website or through security mailing lists. Check vendor resources for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.