CVE-2025-66449
Unknown Unknown - Not Provided
Arbitrary File Write in ConvertXis Upload Enables Code Execution

Publication date: 2025-12-16

Last updated on: 2025-12-16

Assigner: GitHub, Inc.

Description
ConvertXis a self-hosted online file converter. In versions prior to 0.16.0, the endpoint `/upload` allows an authenticated user to write arbitrary files on the system, overwriting binaries and allowing code execution. The upload function takes `file.name` directly from user supplied data without doing any sanitization on the name thus allowing for arbitrary file write. This can be used to overwrite system binaries with ones provided from an attacker allowing full code execution. Version 0.16.0 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66449
EUVD
EUVD-2025-203483
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
c4illin convertx 0.16.0
c4illin convertx 0.15.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in ConvertX versions prior to 0.16.0 allows an authenticated user to upload files with arbitrary filenames to the system via the /upload endpoint without any sanitization. Because the filename is taken directly from user input without validation, an attacker can perform path traversal attacks to write files anywhere on the system, including overwriting critical system binaries. This enables the attacker to execute arbitrary code on the host or container running ConvertX. [2]

Impact Analysis

Exploiting this vulnerability can lead to an attacker overwriting important system binaries with malicious files, resulting in full arbitrary code execution on the host or container running ConvertX. This compromises the confidentiality, integrity, and availability of the system. The attack requires only low privileges (an authenticated user) and no user interaction beyond authentication, making it relatively easy to exploit. [2]

Detection Guidance

You can detect this vulnerability by monitoring for unusual file uploads to the /upload endpoint, especially files with suspicious or unexpected filenames that could indicate path traversal attempts. Checking for overwritten system binaries or unexpected files in system directories can also indicate exploitation. Since the vulnerability involves authenticated users uploading files without filename sanitization, reviewing logs for authenticated upload requests with suspicious file names is useful. Specific commands might include: 1) Using web server or application logs to grep for POST requests to /upload with suspicious filenames, e.g., `grep '/upload' /var/log/convertx/access.log | grep -E '\.\./|/etc/|/bin/'` 2) Searching the filesystem for recently modified critical binaries, e.g., `find /bin /usr/bin /usr/local/bin -type f -mtime -7 -exec ls -l {} \;` 3) Using file integrity monitoring tools (like tripwire) to detect changes in system binaries. 4) Network monitoring tools to detect unusual POST requests to /upload endpoint. These approaches help identify exploitation attempts or successful attacks. [2]

Mitigation Strategies

Immediate mitigation steps include: 1) Upgrade ConvertX to version 0.16.0 or later, which contains the patch that sanitizes filenames during file uploads to prevent arbitrary file writes. 2) Restrict access to the /upload endpoint to only trusted authenticated users and monitor upload activity closely. 3) Implement additional input validation or filtering on filenames if possible. 4) Review and restore any overwritten system binaries from trusted backups. 5) Consider deploying file integrity monitoring to detect unauthorized changes. 6) If upgrading immediately is not possible, temporarily disable or restrict the /upload endpoint to prevent exploitation. These steps reduce the risk of arbitrary code execution via malicious file uploads. [1, 2]

Compliance Impact

The vulnerability allows authenticated users to write arbitrary files on the system, including overwriting system binaries and executing arbitrary code. This leads to a high impact on confidentiality, integrity, and availability of the system. Such a compromise can result in unauthorized access to sensitive data or disruption of services, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of data confidentiality and system integrity. Therefore, this vulnerability negatively affects compliance with these common standards and regulations by exposing the system to risks of data breaches and unauthorized control. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66449. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart