CVE-2025-66480
Unknown Unknown - Not Provided
Directory Traversal in Wildfire IM Upload Allows Remote Code Execution

Publication date: 2026-02-02

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description
Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint (/fs) that handles multipart file uploads but fails to properly sanitize the filename provided by the user. Specifically, the writeFileUploadData method directly concatenates the configured storage directory with the filename extracted from the upload request without stripping directory traversal sequences (e.g., ../../). This vulnerability allows an attacker to write arbitrary files to any location on the server's filesystem where the application process has write permissions. By uploading malicious files (such as scripts, executables, or overwriting configuration files like authorized_keys or cron jobs), an attacker can achieve Remote Code Execution (RCE) and completely compromise the server. This vulnerability is fixed in 1.4.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-03-03
Generated
2026-05-07
AI Q&A
2026-02-03
EPSS Evaluated
2026-05-05
NVD
CVE-2025-66480
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wildfirechat im-server to 1.4.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Wildfire IM versions prior to 1.4.3 in the im-server component's file upload functionality. The application does not properly sanitize filenames during file uploads, allowing an attacker to use directory traversal sequences (like ../../) to write arbitrary files anywhere on the server's filesystem where the application has write permissions. This can lead to an attacker uploading malicious files such as scripts or executables, potentially resulting in Remote Code Execution (RCE) and full server compromise.


How can this vulnerability impact me? :

An attacker exploiting this vulnerability can write arbitrary files to the server, including malicious scripts or executables, which can lead to Remote Code Execution (RCE). This means the attacker can fully compromise the server, potentially gaining control over the system, accessing sensitive data, disrupting services, or using the server for further attacks.


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade Wildfire IM to version 1.4.3 or later, where the vulnerability is fixed. Until the upgrade can be performed, restrict access to the /fs endpoint and monitor for any suspicious file upload activity to prevent exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart