CVE-2025-21622

ClipBucket V5, an open source PHP-based video hosting platform, is affected by CVE-2025-21622, a path traversal vulnerability classified under CWE-22. The issue arises in the user avatar upload and deletion workflow, where users can upload and change their avatars at any time. During deletion, the application treats the user-provided avatar_url—stored in the database—as a filepath within the avatars subdirectory. Without validation for path traversal sequences, the resulting $file variable becomes tainted, enabling deletion of files outside the intended avatars folder scope. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Any unauthenticated network attacker (PR:N) can exploit this vulnerability by registering a user account, uploading an avatar with a specially crafted avatar_url containing path traversal sequences (e.g., ../), and then triggering the deletion process. This allows arbitrary file deletion on the server filesystem beyond the avatars directory, potentially disrupting service availability by targeting critical files, though it does not enable confidentiality breaches or integrity modifications.

The vulnerability is addressed in ClipBucket version 5.5.1 - 237, as detailed in the fix commit at https://github.com/MacWarrior/clipbucket-v5/commit/22329c4675e82c7c95e74024ba247f837ac9e00b and the GitHub Security Advisory GHSA-5qpx-23rw-36gg at https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-5qpx-23rw-36gg. Security practitioners should upgrade to the patched version and review avatar handling code for similar traversal risks in custom deployments.