CVE-2025-22137
Published: 08 January 2025
Description
Pingvin Share is a self-hosted file sharing platform and an alternative for WeTransfer. This vulnerability allows an authenticated or unauthenticated (if anonymous shares are allowed) user to overwrite arbitrary files on the server, including sensitive system files, via HTTP POST requests. The issue has been patched in version 1.4.0.
Security Summary
CVE-2025-22137 is a critical vulnerability in Pingvin Share, a self-hosted file sharing platform designed as an alternative to WeTransfer. The flaw enables arbitrary file overwrites on the server, including sensitive system files, through HTTP POST requests due to improper input validation (CWE-20) and unrestricted handling of dangerous file types (CWE-434). It affects versions of Pingvin Share prior to 1.4.0 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Both authenticated users and unauthenticated users (if anonymous shares are permitted) can target it without privileges, achieving high-impact compromise of confidentiality, integrity, and availability by overwriting critical files on the server.
The vulnerability has been patched in Pingvin Share version 1.4.0. Mitigation involves upgrading to this version or later, as detailed in the GitHub security advisory (GHSA-rjwx-p44f-mcrv) and the associated fix commits.
Details
- CWE(s)