CVE-2025-21624

CVE-2025-21624 is a critical file upload vulnerability (CVSS 9.8; CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H; CWE-434) in ClipBucket V5, an open-source PHP-based video hosting platform. In versions prior to 5.5.1-239, the Manage Playlist functionality fails to properly validate uploaded playlist cover images, allowing attackers to upload PHP script files instead of legitimate images. This enables storage and execution of malicious files, such as webshells, on the server. The issue affects both the admin area and low-level user areas.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By uploading a malicious PHP file via the playlist cover image upload feature, attackers achieve remote code execution on the server, potentially leading to full compromise including data theft, modification, or disruption, as indicated by the high impact scores across confidentiality, integrity, and availability.

ClipBucket addresses this vulnerability in version 5.5.1-239. Security practitioners should upgrade to this patched release immediately. Additional details, including the fix implementation, are available in the GitHub security advisory at https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-98vm-2xqm-xrcc and the corresponding commit at https://github.com/MacWarrior/clipbucket-v5/commit/893bfb0f1236c4a59b5e2843ab8d27a1e491b12b.