5.5.2
CVE-2025-21622 describes a Path Traversal vulnerability discovered in ClipBucket, an open-source video hosting platform built with PHP. This flaw allows an attacker to delete files outside of the intended directory by manipulating the avatar upload URL. The vulnerability impacts ClipBucket versions 5.5.1 and earlier. A patch is available in version 5.5.1 - 237.
The vulnerability lies within ClipBucket's avatar deletion functionality. When a user deletes their avatar, the system checks the provided URL against the 'avatars' directory. Critically, there's no validation to prevent path traversal sequences (e.g., '../') in the user-supplied URL. An attacker can craft a malicious URL containing these sequences, effectively bypassing the intended directory restriction. This allows them to specify arbitrary file paths on the server, leading to unauthorized file deletion. The potential impact extends beyond just avatar files; an attacker could potentially delete critical system files, disrupting the entire ClipBucket installation or even compromising the underlying server. This vulnerability shares similarities with other path traversal exploits where insufficient input validation leads to unauthorized access and modification of files.
CVE-2025-21622 was publicly disclosed on January 7, 2025. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is not listed on the CISA KEV catalog at the time of this writing.
ClipBucket installations, particularly those running older versions (5.5.1 and below), are at risk. Shared hosting environments where multiple users share the same ClipBucket instance are especially vulnerable, as a compromised user account could be used to exploit the vulnerability and impact other users. Legacy configurations with permissive file upload settings also increase the risk.
• linux / server:
find /var/www/clipbucket/avatars -type f -name '*..*' 2>/dev/null # Check for files with suspicious names• generic web:
curl -I 'http://your-clipbucket-site.com/avatars/../../../../etc/passwd' # Attempt path traversaldisclosure
漏洞利用状态
EPSS
1.27% (79% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-21622 is to upgrade ClipBucket to version 5.5.1 - 237 or later, which includes the necessary fix. If an immediate upgrade is not feasible, consider implementing temporary workarounds. One approach is to implement a Web Application Firewall (WAF) rule that blocks requests containing path traversal sequences in the avatar URL. Additionally, restrict file upload permissions to the 'avatars' directory and implement strict input validation on the avatar URL to prevent malicious characters. Regularly review and audit file permissions to ensure they are appropriately configured. After upgrading, confirm the fix by attempting to upload an avatar with a malicious path traversal sequence in the URL; the deletion should be blocked.
Actualice ClipBucket a la versión 5.5.1 - 237 o superior. Esta versión corrige la vulnerabilidad de path traversal en la función de eliminación de avatares. La actualización evitará la eliminación de archivos fuera del directorio de avatares.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-21622 is a Path Traversal vulnerability in ClipBucket versions 5.5.1 and earlier, allowing attackers to delete files by manipulating the avatar upload URL.
You are affected if you are running ClipBucket version 5.5.1 or earlier. Upgrade to version 5.5.1 - 237 to resolve the issue.
Upgrade ClipBucket to version 5.5.1 - 237. As a temporary workaround, implement a WAF rule to block requests with path traversal sequences in the avatar URL.
As of January 2025, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the ClipBucket security advisories on their official website or GitHub repository for the latest information and updates.