CVE-2025-21622
Published: 07 January 2025
Summary
CVE-2025-21622 is a high-severity Path Traversal (CWE-22) vulnerability in Oxygenz Clipbucket. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
ClipBucket V5 is an open-source PHP video hosting platform affected by CVE-2025-21622, a path traversal vulnerability (CWE-22) in the user avatar deletion workflow. When processing an avatar_url value stored in the database, the application constructs a filepath under the avatars subdirectory without sanitizing traversal sequences such as “..”. This allows the final $file variable to reference locations outside the intended directory, resulting in deletion of arbitrary files on the server.
An unauthenticated attacker can supply a malicious avatar_url (either directly or by first storing it via any available user registration or profile mechanism) and trigger the deletion routine over the network. Successful exploitation yields high-impact denial of service through removal of critical application or system files, consistent with the CVSS 7.5 rating that reflects network attack vector, low complexity, and no required privileges or user interaction.
The issue is resolved in ClipBucket version 5.5.1-237, as noted in the project’s GitHub security advisory GHSA-5qpx-23rw-36gg and the associated commit that adds proper path validation. The EPSS score has remained low, with a current value of 0.0127 and a modest peak of 0.0165, indicating no significant post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2574
Vulnerability details
ClipBucket V5 provides open source video hosting with PHP. During the user avatar upload workflow, a user can choose to upload and change their avatar at any time. During deletion, ClipBucket checks for the avatar_url as a filepath within the…
more
avatars subdirectory. If the URL path exists within the avatars directory, ClipBucket will delete it. There is no check for path traversal sequences in the provided user input (stored in the DB as avatar_url) therefore the final $file variable could be tainted with path traversal sequences. This leads to file deletion outside of the intended scope of the avatars folder. This vulnerability is fixed in 5.5.1 - 237.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public web app directly enables remote exploitation (T1190) leading to arbitrary file deletion for data destruction/availability impact (T1485).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents path traversal attacks by validating the user-supplied avatar_url input for malicious sequences before using it as a filepath in the deletion process.
Addresses the tainting of the $file variable derived from untrusted database-stored avatar_url by marking and restricting its use in sensitive file deletion operations.
Remediates the specific path traversal flaw through identification, reporting, and patching as implemented in ClipBucket version 5.5.1.