CVE-2025-66480
Published: 02 February 2026
Summary
CVE-2025-66480 is a critical-severity Path Traversal (CWE-22) vulnerability in Wildfirechat Im-Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of user-supplied filenames at the file upload entry point to block directory traversal sequences like ../../.
Restricts application process privileges to limit writable filesystem locations, mitigating arbitrary file writes outside intended directories.
Provides monitoring and integrity checks to identify unauthorized file writes or modifications from exploited traversal attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal vulnerability in public-facing file upload endpoint (/fs) of Wildfire IM server enables unauthenticated arbitrary file writes leading to RCE, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint (/fs) that handles multipart file…
more
uploads but fails to properly sanitize the filename provided by the user. Specifically, the writeFileUploadData method directly concatenates the configured storage directory with the filename extracted from the upload request without stripping directory traversal sequences (e.g., ../../). This vulnerability allows an attacker to write arbitrary files to any location on the server's filesystem where the application process has write permissions. By uploading malicious files (such as scripts, executables, or overwriting configuration files like authorized_keys or cron jobs), an attacker can achieve Remote Code Execution (RCE) and completely compromise the server. This vulnerability is fixed in 1.4.3.
Deeper analysisAI
CVE-2025-66480 is a critical directory traversal vulnerability in the file upload functionality of Wildfire IM's im-server component, specifically in the com.xiaoleilu.loServer.action.UploadFileAction class. Wildfire IM is an instant messaging and real-time audio/video solution. Prior to version 1.4.3, the /fs endpoint processes multipart file uploads but fails to sanitize user-supplied filenames, allowing directory traversal sequences such as ../../ to be directly concatenated with the configured storage directory in the writeFileUploadData method. This enables arbitrary file writes to locations on the server's filesystem where the application process has write permissions. The vulnerability is rated 9.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-434 (Unrestricted Upload of File with Dangerous Type).
Any unauthenticated remote attacker can exploit this vulnerability by sending a crafted multipart file upload request to the /fs endpoint with a malicious filename containing traversal sequences. Successful exploitation allows the attacker to write arbitrary files, such as executable scripts, binaries, or modifications to critical files like authorized_keys or cron jobs, leading to full remote code execution (RCE) and complete server compromise.
The vulnerability is addressed in Wildfire IM im-server version 1.4.3, as detailed in the project's GitHub security advisory (GHSA-74hq-jhx2-fq6c), release notes, and the fixing commit (2f9c4e028c01c64913cab32e7248bcca183a5230). Security practitioners should upgrade to 1.4.3 or later and review access to the /fs endpoint, ensuring it is not exposed publicly while implementing filename sanitization and directory restrictions as interim measures.
Details
- CWE(s)