CVE-2025-66449
Published: 16 December 2025
Summary
CVE-2025-66449 is a high-severity Path Traversal (CWE-22) vulnerability in C4Illin Convertx. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-supplied file names at the upload endpoint to prevent arbitrary file writes and overwriting of system binaries.
Ensures timely flaw remediation by applying the patch in version 0.16.0 that sanitizes file names and blocks the vulnerability.
Limits application process privileges to prevent overwriting critical system binaries even with unsanitized file names.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows exploitation of a public-facing web application (T1190) via unauthenticated file upload endpoint leading to arbitrary file writes, enabling compromise of host software binaries by overwriting system binaries with malicious code (T1554).
NVD Description
ConvertXis a self-hosted online file converter. In versions prior to 0.16.0, the endpoint `/upload` allows an authenticated user to write arbitrary files on the system, overwriting binaries and allowing code execution. The upload function takes `file.name` directly from user supplied…
more
data without doing any sanitization on the name thus allowing for arbitrary file write. This can be used to overwrite system binaries with ones provided from an attacker allowing full code execution. Version 0.16.0 contains a patch for the issue.
Deeper analysisAI
CVE-2025-66449 is a vulnerability in ConvertX, a self-hosted online file converter, affecting versions prior to 0.16.0. The issue lies in the `/upload` endpoint, where the upload function directly uses the user-supplied `file.name` without sanitization. This allows arbitrary file writes on the system, including overwriting binaries, which can lead to code execution.
An authenticated user can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables the attacker to overwrite system binaries with malicious files provided in the upload, achieving full code execution on the server.
The GitHub security advisory GHSA-cpww-gwgc-p72r documents the vulnerability, and version 0.16.0 includes a patch that addresses the lack of file name sanitization. The fixing commit is at https://github.com/C4illin/ConvertX/commit/550f472451755d095cf5802bc91f403e85b7129e, while the vulnerable code appears in src/pages/upload.tsx lines 27-30 at https://github.com/C4illin/ConvertX/blob/4ae2aab66ace7cdcc14c5a16ecaaf2372b9ccbdf/src/pages/upload.tsx#L27-L30.
Details
- CWE(s)