Cyber Resilience

CVE-2025-21622

HighPublic PoC

Published: 07 January 2025

Published
07 January 2025
Modified
05 September 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0127 79.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21622 is a high-severity Path Traversal (CWE-22) vulnerability in Oxygenz Clipbucket. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

ClipBucket V5 is an open-source PHP video hosting platform affected by CVE-2025-21622, a path traversal vulnerability (CWE-22) in the user avatar deletion workflow. When processing an avatar_url value stored in the database, the application constructs a filepath under the avatars subdirectory without sanitizing traversal sequences such as “..”. This allows the final $file variable to reference locations outside the intended directory, resulting in deletion of arbitrary files on the server.

An unauthenticated attacker can supply a malicious avatar_url (either directly or by first storing it via any available user registration or profile mechanism) and trigger the deletion routine over the network. Successful exploitation yields high-impact denial of service through removal of critical application or system files, consistent with the CVSS 7.5 rating that reflects network attack vector, low complexity, and no required privileges or user interaction.

The issue is resolved in ClipBucket version 5.5.1-237, as noted in the project’s GitHub security advisory GHSA-5qpx-23rw-36gg and the associated commit that adds proper path validation. The EPSS score has remained low, with a current value of 0.0127 and a modest peak of 0.0165, indicating no significant post-disclosure exploitation interest.

EU & UK References

Vulnerability details

ClipBucket V5 provides open source video hosting with PHP. During the user avatar upload workflow, a user can choose to upload and change their avatar at any time. During deletion, ClipBucket checks for the avatar_url as a filepath within the…

more

avatars subdirectory. If the URL path exists within the avatars directory, ClipBucket will delete it. There is no check for path traversal sequences in the provided user input (stored in the DB as avatar_url) therefore the final $file variable could be tainted with path traversal sequences. This leads to file deletion outside of the intended scope of the avatars folder. This vulnerability is fixed in 5.5.1 - 237.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Path traversal in public web app directly enables remote exploitation (T1190) leading to arbitrary file deletion for data destruction/availability impact (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21623Same product: Oxygenz Clipbucket
CVE-2026-21875Same product: Oxygenz Clipbucket
CVE-2025-21624Same product: Oxygenz Clipbucket
CVE-2026-25728Same product: Oxygenz Clipbucket
CVE-2025-67418Same product: Oxygenz Clipbucket
CVE-2026-32321Same product: Oxygenz Clipbucket
CVE-2025-67963Shared CWE-22
CVE-2026-4351Shared CWE-22
CVE-2026-22448Shared CWE-22
CVE-2025-7359Shared CWE-22

Affected Assets

oxygenz
clipbucket
5.3 — 5.5.1-237

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal attacks by validating the user-supplied avatar_url input for malicious sequences before using it as a filepath in the deletion process.

SI-20 Tainting good match
prevent

Addresses the tainting of the $file variable derived from untrusted database-stored avatar_url by marking and restricting its use in sensitive file deletion operations.

prevent

Remediates the specific path traversal flaw through identification, reporting, and patching as implemented in ClipBucket version 5.5.1.

References