Platform
other
Component
convertx
Fixed in
0.16.1
CVE-2025-66449 describes a Path Traversal vulnerability discovered in ConvertX, a self-hosted online file converter. This flaw allows authenticated users to write arbitrary files to the system, potentially overwriting critical binaries and leading to code execution. The vulnerability impacts versions of ConvertX prior to 0.16.0, and a patch has been released to address the issue.
The primary impact of CVE-2025-66449 is the potential for remote code execution. An attacker, after authenticating to the ConvertX instance, can exploit the /upload endpoint to upload files with arbitrary names. Crucially, the application does not sanitize the filename provided by the user. This allows an attacker to overwrite system binaries with malicious versions, effectively gaining control of the server. The blast radius extends to the entire server infrastructure, as successful exploitation grants the attacker the ability to execute arbitrary commands with the privileges of the ConvertX process. This vulnerability shares similarities with other file upload vulnerabilities where insufficient input validation allows for arbitrary file writes, potentially leading to system compromise.
CVE-2025-66449 was publicly disclosed on 2025-12-16. There is no indication of this vulnerability being actively exploited at the time of writing. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 8.8 (HIGH) indicates a significant potential for exploitation if left unaddressed.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-66449 is to immediately upgrade ConvertX to version 0.16.0 or later, which contains the necessary patch. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict file upload permissions to the ConvertX user account, limiting the potential damage from a successful exploit. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious filenames or path traversal sequences in the /upload endpoint. Carefully review and restrict the directories accessible to the ConvertX process to minimize the impact of potential file overwrites. After upgrading, confirm the fix by attempting to upload a file with a malicious filename (e.g., /../../../../etc/passwd) and verifying that the upload is rejected.
Update ConvertX to version 0.16.0 or higher. This version contains a fix for the path traversal vulnerability that allows arbitrary file write and code execution. The update will prevent an attacker from overwriting system files and executing malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66449 is a Path Traversal vulnerability in ConvertX versions prior to 0.16.0, allowing authenticated users to write arbitrary files and potentially achieve code execution.
You are affected if you are running ConvertX version 0.16.0 or earlier. Check your version and upgrade immediately.
Upgrade ConvertX to version 0.16.0 or later. As a temporary workaround, restrict file upload permissions and implement WAF rules.
There is currently no evidence of active exploitation, but the vulnerability's severity warrants immediate attention and remediation.
Refer to the ConvertX project's official website or GitHub repository for the latest security advisories and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.