CVE-2025-50202
BaseFortify
Publication date: 2025-06-18
Last updated on: 2025-06-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-50202 is a path traversal vulnerability in the Lychee photo-management tool versions 6.6.6 to before 6.6.10. It occurs because the SecurePathController.php does not properly validate file paths, allowing an attacker to craft requests that access arbitrary local files on the server. This can include sensitive files like environment variables, nginx logs, configuration secrets, and other users' uploaded images. The vulnerability allows unauthenticated attackers to read these files by exploiting the lack of path traversal protection. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information stored on the server, such as environment variables, configuration secrets, server logs, and private user data like uploaded images. Such information leakage can compromise the security of the application and the underlying system, potentially enabling further attacks or data breaches. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious HTTP GET requests that include path traversal sequences targeting the Lychee application, such as requests containing encoded sequences like '..%2f' attempting to access sensitive files (e.g., GET /image/..%2fconf%2f.env). Network or web server logs can be searched for such patterns. For example, using command-line tools on the server logs: 1) To find suspicious requests in access logs: grep -iE 'GET /image/.*(%2f|\.\./)' /path/to/access.log 2) To detect attempts to access sensitive files: grep -iE 'GET /image/.*\.env|nginx|conf' /path/to/access.log These commands help identify exploitation attempts by looking for path traversal patterns and access to sensitive files. Additionally, monitoring for HTTP 418 status codes (introduced in the patch as a response to detected path traversal attempts) can indicate attempted exploitation on patched systems. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Lychee application to version 6.6.10 or later, where the vulnerability is patched. This patch includes validation to prevent path traversal by ensuring requested file paths are within allowed directories, enforcing signature and expiration checks on URLs, and restricting access based on configuration flags. If upgrading immediately is not possible, consider disabling the features 'secure_image_link_enabled' and 'temporary_image_link_enabled' to restrict unauthorized access, and monitor for suspicious requests as a temporary measure. Applying the patch commit ae7270b7b47e4a284ea1f69d260e52d592711072 is recommended to fully address the issue. [1, 2]