Cyber Resilience

CVE-2025-66480

Critical

Published: 02 February 2026

Published
02 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0140 68.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-66480 is a critical-severity Path Traversal (CWE-22) vulnerability in Wildfirechat Im-Server. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-66480 is a critical directory traversal vulnerability in the file upload functionality of Wildfire IM's im-server component, specifically in the com.xiaoleilu.loServer.action.UploadFileAction class. Wildfire IM is an instant messaging and real-time audio/video solution. Prior to version 1.4.3, the /fs endpoint processes multipart file uploads but fails to sanitize user-supplied filenames, allowing directory traversal sequences such as ../../ to be directly concatenated with the configured storage directory in the writeFileUploadData method. This enables arbitrary file writes to locations on the server's filesystem where the application process has write permissions. The vulnerability is rated 9.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

Any unauthenticated remote attacker can exploit this vulnerability by sending a crafted multipart file upload request to the /fs endpoint with a malicious filename containing traversal sequences. Successful exploitation allows the attacker to write arbitrary files, such as executable scripts, binaries, or modifications to critical files like authorized_keys or cron jobs, leading to full remote code execution (RCE) and complete server compromise.

The vulnerability is addressed in Wildfire IM im-server version 1.4.3, as detailed in the project's GitHub security advisory (GHSA-74hq-jhx2-fq6c), release notes, and the fixing commit (2f9c4e028c01c64913cab32e7248bcca183a5230). Security practitioners should upgrade to 1.4.3 or later and review access to the /fs endpoint, ensuring it is not exposed publicly while implementing filename sanitization and directory restrictions as interim measures.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint (/fs) that handles multipart file…

more

uploads but fails to properly sanitize the filename provided by the user. Specifically, the writeFileUploadData method directly concatenates the configured storage directory with the filename extracted from the upload request without stripping directory traversal sequences (e.g., ../../). This vulnerability allows an attacker to write arbitrary files to any location on the server's filesystem where the application process has write permissions. By uploading malicious files (such as scripts, executables, or overwriting configuration files like authorized_keys or cron jobs), an attacker can achieve Remote Code Execution (RCE) and completely compromise the server. This vulnerability is fixed in 1.4.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Directory traversal vulnerability in public-facing file upload endpoint (/fs) of Wildfire IM server enables unauthenticated arbitrary file writes leading to RCE, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2743Shared CWE-22, CWE-434
CVE-2026-26984Shared CWE-22, CWE-434
CVE-2025-68398Shared CWE-22, CWE-434
CVE-2025-12352Shared CWE-434
CVE-2025-2505Shared CWE-22
CVE-2026-35605Shared CWE-22
CVE-2025-53632Shared CWE-22
CVE-2026-25055Shared CWE-22
CVE-2026-22786Shared CWE-22, CWE-434
CVE-2026-4619Shared CWE-22

Affected Assets

wildfirechat
im-server
≤ 1.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of user-supplied filenames at the file upload entry point to block directory traversal sequences like ../../.

prevent

Restricts application process privileges to limit writable filesystem locations, mitigating arbitrary file writes outside intended directories.

detect

Provides monitoring and integrity checks to identify unauthorized file writes or modifications from exploited traversal attempts.

References