CVE-2025-21622
Published: 07 January 2025
Summary
CVE-2025-21622 is a high-severity Path Traversal (CWE-22) vulnerability in Oxygenz Clipbucket. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents path traversal attacks by validating the user-supplied avatar_url input for malicious sequences before using it as a filepath in the deletion process.
Addresses the tainting of the $file variable derived from untrusted database-stored avatar_url by marking and restricting its use in sensitive file deletion operations.
Remediates the specific path traversal flaw through identification, reporting, and patching as implemented in ClipBucket version 5.5.1.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public web app directly enables remote exploitation (T1190) leading to arbitrary file deletion for data destruction/availability impact (T1485).
NVD Description
ClipBucket V5 provides open source video hosting with PHP. During the user avatar upload workflow, a user can choose to upload and change their avatar at any time. During deletion, ClipBucket checks for the avatar_url as a filepath within the…
more
avatars subdirectory. If the URL path exists within the avatars directory, ClipBucket will delete it. There is no check for path traversal sequences in the provided user input (stored in the DB as avatar_url) therefore the final $file variable could be tainted with path traversal sequences. This leads to file deletion outside of the intended scope of the avatars folder. This vulnerability is fixed in 5.5.1 - 237.
Deeper analysisAI
ClipBucket V5, an open source PHP-based video hosting platform, is affected by CVE-2025-21622, a path traversal vulnerability classified under CWE-22. The issue arises in the user avatar upload and deletion workflow, where users can upload and change their avatars at any time. During deletion, the application treats the user-provided avatar_url—stored in the database—as a filepath within the avatars subdirectory. Without validation for path traversal sequences, the resulting $file variable becomes tainted, enabling deletion of files outside the intended avatars folder scope. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated network attacker (PR:N) can exploit this vulnerability by registering a user account, uploading an avatar with a specially crafted avatar_url containing path traversal sequences (e.g., ../), and then triggering the deletion process. This allows arbitrary file deletion on the server filesystem beyond the avatars directory, potentially disrupting service availability by targeting critical files, though it does not enable confidentiality breaches or integrity modifications.
The vulnerability is addressed in ClipBucket version 5.5.1 - 237, as detailed in the fix commit at https://github.com/MacWarrior/clipbucket-v5/commit/22329c4675e82c7c95e74024ba247f837ac9e00b and the GitHub Security Advisory GHSA-5qpx-23rw-36gg at https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-5qpx-23rw-36gg. Security practitioners should upgrade to the patched version and review avatar handling code for similar traversal risks in custom deployments.
Details
- CWE(s)