CVE-2025-21623

ClipBucket V5, an open source PHP-based video hosting platform, is affected by CVE-2025-21623, a directory traversal vulnerability (CWE-22, CWE-306) in versions prior to 5.5.1-238. The flaw allows attackers to manipulate the template directory path, disrupting normal application functionality and leading to a denial of service. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high availability impact with low complexity and no authentication requirements.

Unauthenticated attackers can exploit this vulnerability remotely over the network with minimal effort, requiring no privileges or user interaction. By traversing directories to alter the template directory, they can cause the application to fail loading templates, resulting in denial of service that renders the video hosting service unavailable.

The GitHub security advisory (GHSA-ffhj-hprx-7qvr) and associated commit (75d663f010cd8569eb9e278f030838174fb30188) in the MacWarrior/clipbucket-v5 repository detail the patch, which sanitizes the template directory input to prevent traversal. Security practitioners should upgrade to ClipBucket V5 version 5.5.1-238 or later to mitigate the issue.