CVE-2025-66449

ConvertXis a self-hosted online file converter. In versions prior to 0.16.0, the endpoint `/upload` allows an authenticated user to write arbitrary files on the system, overwriting binaries and allowing code execution. The upload function takes `file.name` directly from user supplied data without doing any sanitization on the name thus allowing for arbitrary file write. This can be used to overwrite system binaries with ones provided from an attacker allowing full code execution. Version 0.16.0 contains a patch for the issue.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/C4illin/ConvertX/blob/4ae2aab66ace7cdcc14c5a16ecaaf2372b9ccbdf/src/pages/upload.tsx#L27-L30	Product
https://github.com/C4illin/ConvertX/commit/550f472451755d095cf5802bc91f403e85b7129e	Patch
https://github.com/C4illin/ConvertX/security/advisories/GHSA-cpww-gwgc-p72r	Exploit Vendor Advisory
https://github.com/C4illin/ConvertX/security/advisories/GHSA-cpww-gwgc-p72r	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:c4illin:convertx:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-12-16 01:15

Updated : 2026-01-07 20:36

NVD link : CVE-2025-66449

Mitre link : CVE-2025-66449

CVE.ORG link : CVE-2025-66449

JSON object : View

Products Affected

c4illin

convertx

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73

External Control of File Name or Path

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2025-66449", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-12-16T01:15:51.750", "references": [{"url": "https://github.com/C4illin/ConvertX/blob/4ae2aab66ace7cdcc14c5a16ecaaf2372b9ccbdf/src/pages/upload.tsx#L27-L30", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/C4illin/ConvertX/commit/550f472451755d095cf5802bc91f403e85b7129e", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/C4illin/ConvertX/security/advisories/GHSA-cpww-gwgc-p72r", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/C4illin/ConvertX/security/advisories/GHSA-cpww-gwgc-p72r", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}, {"lang": "en", "value": "CWE-434"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "ConvertXis a self-hosted online file converter. In versions prior to 0.16.0, the endpoint `/upload` allows an authenticated user to write arbitrary files on the system, overwriting binaries and allowing code execution. The upload function takes `file.name` directly from user supplied data without doing any sanitization on the name thus allowing for arbitrary file write. This can be used to overwrite system binaries with ones provided from an attacker allowing full code execution. Version 0.16.0 contains a patch for the issue."}], "lastModified": "2026-01-07T20:36:18.987", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:c4illin:convertx:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F67602C7-26D1-4477-AE93-85CE2AAE6A3D", "versionEndExcluding": "0.16.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}