Cyber Resilience

CVE-2025-21624

CriticalPublic PoC

Published: 07 January 2025

Published
07 January 2025
Modified
05 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3291 97.0th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21624 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Oxygenz Clipbucket. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

ClipBucket V5 is an open-source PHP-based video hosting platform. Prior to version 5.5.1-239, it contained an unrestricted file upload flaw in the Manage Playlist feature that handles playlist cover images. The absence of server-side validation allowed an uploaded file to retain a .php extension instead of being restricted to an image format, enabling storage and later execution of arbitrary code such as a webshell. The issue affects both administrative and ordinary user interfaces.

An unauthenticated remote attacker can exploit the flaw over the network by submitting a crafted playlist cover upload containing PHP code. Successful exploitation grants the ability to execute arbitrary commands on the underlying server, resulting in full confidentiality, integrity, and availability impact as reflected by the CVSS 9.8 score.

The vulnerability is addressed in release 5.5.1-239; the corresponding commit and GitHub Security Advisory GHSA-98vm-2xqm-xrcc document the fix. The current EPSS of 0.3291 has remained flat at its recorded peak, indicating sustained but not newly emerging exploitation interest.

EU & UK References

Vulnerability details

ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 239, a file upload vulnerability exists in the Manage Playlist functionality of the application, specifically surrounding the uploading of playlist cover images. Without proper checks, an attacker…

more

can upload a PHP script file instead of an image file, thus allowing a webshell or other malicious files to be stored and executed on the server. This attack vector exists in both the admin area and low-level user area. This vulnerability is fixed in 5.5.1 - 239.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unauthenticated remote file upload in public-facing web app directly enables webshell deployment and RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25728Same product: Oxygenz Clipbucket
CVE-2026-21875Same product: Oxygenz Clipbucket
CVE-2025-21623Same product: Oxygenz Clipbucket
CVE-2025-67418Same product: Oxygenz Clipbucket
CVE-2025-21622Same product: Oxygenz Clipbucket
CVE-2026-32321Same product: Oxygenz Clipbucket
CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434

Affected Assets

oxygenz
clipbucket
5.3 — 5.5.1-239

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the lack of proper validation on uploaded playlist cover images, preventing acceptance of malicious PHP scripts disguised as images.

prevent

Mandates timely remediation of the specific file upload flaw by applying the patch in version 5.5.1-239.

prevent

Restricts file uploads in the Manage Playlist functionality to only permitted image types, blocking executable PHP files at the input boundary.

References