CVE-2025-21624
Published: 07 January 2025
Summary
CVE-2025-21624 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Oxygenz Clipbucket. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
ClipBucket V5 is an open-source PHP-based video hosting platform. Prior to version 5.5.1-239, it contained an unrestricted file upload flaw in the Manage Playlist feature that handles playlist cover images. The absence of server-side validation allowed an uploaded file to retain a .php extension instead of being restricted to an image format, enabling storage and later execution of arbitrary code such as a webshell. The issue affects both administrative and ordinary user interfaces.
An unauthenticated remote attacker can exploit the flaw over the network by submitting a crafted playlist cover upload containing PHP code. Successful exploitation grants the ability to execute arbitrary commands on the underlying server, resulting in full confidentiality, integrity, and availability impact as reflected by the CVSS 9.8 score.
The vulnerability is addressed in release 5.5.1-239; the corresponding commit and GitHub Security Advisory GHSA-98vm-2xqm-xrcc document the fix. The current EPSS of 0.3291 has remained flat at its recorded peak, indicating sustained but not newly emerging exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2576
Vulnerability details
ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 239, a file upload vulnerability exists in the Manage Playlist functionality of the application, specifically surrounding the uploading of playlist cover images. Without proper checks, an attacker…
more
can upload a PHP script file instead of an image file, thus allowing a webshell or other malicious files to be stored and executed on the server. This attack vector exists in both the admin area and low-level user area. This vulnerability is fixed in 5.5.1 - 239.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote file upload in public-facing web app directly enables webshell deployment and RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the lack of proper validation on uploaded playlist cover images, preventing acceptance of malicious PHP scripts disguised as images.
Mandates timely remediation of the specific file upload flaw by applying the patch in version 5.5.1-239.
Restricts file uploads in the Manage Playlist functionality to only permitted image types, blocking executable PHP files at the input boundary.