CVE-2025-66449

ConvertXis a self-hosted online file converter. In versions prior to 0.16.0, the endpoint `/upload` allows an authenticated user to write arbitrary files on the system, overwriting binaries and allowing code execution. The upload function takes `file.name` directly from user supplied data without doing any sanitization on the name thus allowing for arbitrary file write. This can be used to overwrite system binaries with ones provided from an attacker allowing full code execution. Version 0.16.0 contains a patch for the issue.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/C4illin/ConvertX/blob/4ae2aab66ace7cdcc14c5a16ecaaf2372b9ccbdf/src/pages/upload.tsx#L27-L30
https://github.com/C4illin/ConvertX/commit/550f472451755d095cf5802bc91f403e85b7129e
https://github.com/C4illin/ConvertX/security/advisories/GHSA-cpww-gwgc-p72r
https://github.com/C4illin/ConvertX/security/advisories/GHSA-cpww-gwgc-p72r

Configurations

No configuration.

History

16 Dec 2025, 16:16

Type	Values Removed	Values Added
References	~~() https://github.com/C4illin/ConvertX/security/advisories/GHSA-cpww-gwgc-p72r -~~	() https://github.com/C4illin/ConvertX/security/advisories/GHSA-cpww-gwgc-p72r -

16 Dec 2025, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-16 01:15

Updated : 2025-12-16 16:16

NVD link : CVE-2025-66449

Mitre link : CVE-2025-66449

CVE.ORG link : CVE-2025-66449

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73

External Control of File Name or Path

CWE-434

Unrestricted Upload of File with Dangerous Type

8.8 /10