CVE-2025-62429
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-20

Last updated on: 2025-11-10

Assigner: GitHub, Inc.

Description
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 #147, ClipBucket v5 is vulnerable to arbitrary PHP code execution. In /upload/admin_area/actions/update_launch.php, the "type" parameter from a POST request is embedded into PHP tags and executed. Proper sanitization is not performed, and by injecting malicious code an attacker can execute arbitrary PHP code. This allows an attacker to achieve RCE. This issue has been resolved in version 5.5.2 #147.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-20
Last Modified
2025-11-10
Generated
2026-06-16
AI Q&A
2025-10-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62429
EUVD
EUVD-2025-35079
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oxygenz clipbucket From 5.3 (inc) to 5.5.2-147 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-62429 is a vulnerability in ClipBucket v5 (prior to version 5.5.2) that allows an attacker with administrator privileges to execute arbitrary PHP code on the server. This happens because the 'type' parameter in a POST request is embedded directly into PHP tags without proper sanitization in the file /upload/admin_area/actions/update_launch.php. By injecting malicious code into this parameter, an attacker can run arbitrary shell commands, leading to remote code execution (RCE). [2]

Impact Analysis

This vulnerability can lead to a full remote code execution on the server hosting ClipBucket v5, allowing an attacker with administrator access to execute arbitrary PHP code and shell commands. This can result in complete system compromise, including unauthorized access, data theft, data modification, service disruption, and potentially taking control of the entire server environment. [2]

Detection Guidance

This vulnerability can be detected by attempting to exploit the arbitrary PHP code execution via the vulnerable 'type' parameter in a POST request to /upload/admin_area/actions/update_launch.php. For example, using a curl command with administrator privileges to send a crafted POST request such as: curl -X POST -d "type=core';shell_exec('touch /tmp/malicious.txt');//" https://your-clipbucket-site/upload/admin_area/actions/update_launch.php. If the file /tmp/malicious.txt is created on the server, it indicates the vulnerability is present. [2]

Mitigation Strategies

The immediate mitigation step is to update ClipBucket v5 to version 5.5.2 or later, where this vulnerability has been fixed. This update addresses the arbitrary PHP code execution issue along with other security fixes. Additionally, restrict administrator access and monitor for suspicious POST requests to the vulnerable endpoint until the update is applied. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62429. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart