Cyber Resilience

CVE-2025-22137

Critical

Published: 08 January 2025

Published
08 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0025 48.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22137 is a critical-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-22137 is a critical vulnerability in Pingvin Share, a self-hosted file sharing platform designed as an alternative to WeTransfer. The flaw enables arbitrary file overwrites on the server, including sensitive system files, through HTTP POST requests due to improper input validation (CWE-20) and unrestricted handling of dangerous file types (CWE-434). It affects versions of Pingvin Share prior to 1.4.0 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Both authenticated users and unauthenticated users (if anonymous shares are permitted) can target it without privileges, achieving high-impact compromise of confidentiality, integrity, and availability by overwriting critical files on the server.

The vulnerability has been patched in Pingvin Share version 1.4.0. Mitigation involves upgrading to this version or later, as detailed in the GitHub security advisory (GHSA-rjwx-p44f-mcrv) and the associated fix commits.

EU & UK References

Vulnerability details

Pingvin Share is a self-hosted file sharing platform and an alternative for WeTransfer. This vulnerability allows an authenticated or unauthenticated (if anonymous shares are allowed) user to overwrite arbitrary files on the server, including sensitive system files, via HTTP POST…

more

requests. The issue has been patched in version 1.4.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of a public-facing web app via arbitrary file overwrite due to missing input validation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-9157Shared CWE-20, CWE-434
CVE-2025-68398Shared CWE-20, CWE-434
CVE-2026-2113Shared CWE-20, CWE-434
CVE-2024-56975Shared CWE-434
CVE-2019-25580Shared CWE-434
CVE-2026-27636Shared CWE-434
CVE-2026-4809Shared CWE-434
CVE-2026-4755Shared CWE-20
CVE-2026-6973Shared CWE-20
CVE-2020-37090Shared CWE-434

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper input validation (CWE-20) enabling arbitrary file paths in HTTP POST requests to overwrite server files.

prevent

Enforces logical access controls to restrict file write operations to authorized locations only, preventing arbitrary overwrites of sensitive system files.

prevent

Restricts types, sources, and handling of uploaded files to block dangerous file types and unauthorized paths (CWE-434) in anonymous or authenticated shares.

References