Cyber Resilience

CVE-2025-21623

HighPublic PoC

Published: 07 January 2025

Published
07 January 2025
Modified
05 September 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0136 80.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21623 is a high-severity Path Traversal (CWE-22) vulnerability in Oxygenz Clipbucket. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

ClipBucket V5 is an open-source PHP-based video hosting platform that, prior to version 5.5.1-238, is affected by a path traversal vulnerability (CWE-22) combined with missing authentication for a critical function (CWE-306). The flaw permits modification of the template directory setting without any credentials, which in turn triggers a denial of service by rendering the application unusable.

An unauthenticated attacker with network access can supply a crafted directory traversal sequence to alter the configured template path. Because the change requires no privileges and succeeds over the network with low attack complexity, the result is a high-impact availability compromise as scored by CVSS 7.5, while confidentiality and integrity remain unaffected.

The referenced GitHub security advisory GHSA-ffhj-hprx-7qvr and the associated commit 75d663f010cd8569eb9e278f030838174fb30188 document the fix and indicate that administrators should upgrade to the patched release 5.5.1-238 or later to eliminate the unauthenticated directory manipulation vector. The EPSS score remains low, with a current value of 0.0136 and a peak of only 0.0198, providing no indication of emerging exploitation interest.

EU & UK References

Vulnerability details

ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 238, ClipBucket V5 allows unauthenticated attackers to change the template directory via a directory traversal, which results in a denial of service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Directory traversal in public-facing PHP web app directly enables remote unauthenticated exploitation (T1190) resulting in application DoS via template path manipulation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21622Same product: Oxygenz Clipbucket
CVE-2026-21875Same product: Oxygenz Clipbucket
CVE-2025-67418Same product: Oxygenz Clipbucket
CVE-2025-21624Same product: Oxygenz Clipbucket
CVE-2026-25728Same product: Oxygenz Clipbucket
CVE-2026-32321Same product: Oxygenz Clipbucket
CVE-2025-3356Shared CWE-22
CVE-2026-0545Shared CWE-306
CVE-2025-26339Shared CWE-306
CVE-2026-34731Shared CWE-306

Affected Assets

oxygenz
clipbucket
5.3 — 5.5.1-238

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validating and sanitizing user-supplied template directory inputs to prevent directory traversal attacks.

prevent

Mandates identification, reporting, and correction of flaws like this directory traversal vulnerability through patching to version 5.5.1-238 or later.

preventdetect

Provides mechanisms to protect against denial-of-service impacts from template loading failures caused by directory traversal.

References