CVE-2025-21623
Published: 07 January 2025
Summary
CVE-2025-21623 is a high-severity Path Traversal (CWE-22) vulnerability in Oxygenz Clipbucket. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
ClipBucket V5 is an open-source PHP-based video hosting platform that, prior to version 5.5.1-238, is affected by a path traversal vulnerability (CWE-22) combined with missing authentication for a critical function (CWE-306). The flaw permits modification of the template directory setting without any credentials, which in turn triggers a denial of service by rendering the application unusable.
An unauthenticated attacker with network access can supply a crafted directory traversal sequence to alter the configured template path. Because the change requires no privileges and succeeds over the network with low attack complexity, the result is a high-impact availability compromise as scored by CVSS 7.5, while confidentiality and integrity remain unaffected.
The referenced GitHub security advisory GHSA-ffhj-hprx-7qvr and the associated commit 75d663f010cd8569eb9e278f030838174fb30188 document the fix and indicate that administrators should upgrade to the patched release 5.5.1-238 or later to eliminate the unauthenticated directory manipulation vector. The EPSS score remains low, with a current value of 0.0136 and a peak of only 0.0198, providing no indication of emerging exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2575
Vulnerability details
ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 238, ClipBucket V5 allows unauthenticated attackers to change the template directory via a directory traversal, which results in a denial of service.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in public-facing PHP web app directly enables remote unauthenticated exploitation (T1190) resulting in application DoS via template path manipulation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validating and sanitizing user-supplied template directory inputs to prevent directory traversal attacks.
Mandates identification, reporting, and correction of flaws like this directory traversal vulnerability through patching to version 5.5.1-238 or later.
Provides mechanisms to protect against denial-of-service impacts from template loading failures caused by directory traversal.