Platform
php
Component
lychee
Fixed in
6.6.7
CVE-2025-50202 is a Path Traversal vulnerability discovered in Lychee, a free photo-management tool. This vulnerability allows attackers to potentially leak sensitive files from the server, including environment variables, nginx logs, user-uploaded images, and configuration secrets. The vulnerability affects versions 6.6.6 and later, up to but not including version 6.6.10. A patch has been released in version 6.6.10.
The impact of this vulnerability is significant due to the potential for sensitive data exposure. An attacker exploiting this Path Traversal flaw could gain access to critical system information, such as database credentials stored in environment variables or configuration files. Compromised user-uploaded images could be exposed, leading to privacy breaches. The ability to access nginx logs could provide insights into server activity and potentially aid in further attacks. This vulnerability could be leveraged for reconnaissance, privilege escalation, and data theft, significantly impacting the confidentiality and integrity of the Lychee installation and the data it manages.
This vulnerability was publicly disclosed on 2025-06-18. No public proof-of-concept (PoC) code has been released at the time of this writing, but the ease of exploitation inherent in Path Traversal vulnerabilities suggests a potential for rapid exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability's impact is amplified by the popularity of Lychee as a self-hosted photo management solution.
Exploit Status
EPSS
0.12% (31% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-50202 is to immediately upgrade Lychee to version 6.6.10 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting file access permissions within the Lychee directory and implementing stricter input validation on file paths. Web Application Firewalls (WAFs) configured to detect and block path traversal attempts can also provide an additional layer of protection. Monitor Lychee logs for suspicious file access attempts and unusual patterns that might indicate exploitation.
Actualice Lychee a la versión 6.6.10 o superior. Esta versión contiene una corrección para la vulnerabilidad de path traversal. La actualización se puede realizar a través del panel de administración de Lychee o descargando la última versión del software y reemplazando los archivos existentes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-50202 is a Path Traversal vulnerability affecting Lychee photo-management tool versions 6.6.6 through 6.6.9, allowing attackers to potentially leak sensitive files.
You are affected if you are running Lychee version 6.6.6 or later, but before version 6.6.10. Check your Lychee version and upgrade immediately if vulnerable.
Upgrade Lychee to version 6.6.10 or later to patch the vulnerability. If immediate upgrade is not possible, implement temporary workarounds like restricting file access permissions.
While no public exploits are currently known, the ease of exploitation suggests a potential for rapid exploitation. Monitor your systems closely.
Refer to the official Lychee security advisory on their website or GitHub repository for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.