CVE-2025-66449

ConvertX has Path Traversal that leads to Arbitrary File Write and Arbitrary Code Execution

CVSS 8.8 HIGHEPSS 0.7%CWE-22 CWE-434 CWE-73

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.8EPSS 0.7%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

16 Dec 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

ConvertXis a self-hosted online file converter. In versions prior to 0.16.0, the endpoint `/upload` allows an authenticated user to write arbitrary files on the system, overwriting binaries and allowing code execution. The upload function takes `file.name` directly from user supplied data without doing any sanitization on the name thus allowing for arbitrary file write. This can be used to overwrite system binaries with ones provided from an attacker allowing full code execution. Version 0.16.0 contains a patch for the issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

C4illin · ConvertX

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/C4illin/ConvertX/blob/4ae2aab66ace7cdcc14c5a16ecaaf2372b9ccbdf/src/pages/upload.tsx#L27-L30 https://github.com/C4illin/ConvertX/commit/550f472451755d095cf5802bc91f403e85b7129e https://github.com/C4illin/ConvertX/security/advisories/GHSA-cpww-gwgc-p72r